diff options
Diffstat (limited to 'recipes-ids')
41 files changed, 4401 insertions, 0 deletions
diff --git a/recipes-ids/samhain/files/run-ptest b/recipes-ids/samhain/files/run-ptest new file mode 100755 index 0000000..2a4a765 --- /dev/null +++ b/recipes-ids/samhain/files/run-ptest @@ -0,0 +1,3 @@ +#!/bin/sh +current_dir=$(dirname $(readlink -f $0)) +$current_dir/cutest diff --git a/recipes-ids/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch b/recipes-ids/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch new file mode 100644 index 0000000..088a938 --- /dev/null +++ b/recipes-ids/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch @@ -0,0 +1,28 @@ +From ae79606a6745dbbd429d1d4671dfe3045d735057 Mon Sep 17 00:00:00 2001 +From: Jackie Huang <jackie.huang@windriver.com> +Date: Thu, 14 Sep 2017 13:26:55 +0800 +Subject: [PATCH] Add LDFLAGS variable for compiling samhain_setpwd + +Upstream-Status: Pending + +Signed-off-by: Jackie Huang <jackie.huang@windriver.com> +--- + Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.in b/Makefile.in +index 01de987..49356cf 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -1128,7 +1128,7 @@ sh_tiger_i.o: $(srcsrc)/$(TIGER_SRC) Makefile config_xor.h + samhain_setpwd: encode config_xor.h $(srcsrc)/samhain_setpwd.c + @echo '$(COMPILE) -o samhain_setpwd $(srcsrc)/samhain_setpwd.c'; \ + ./encode $(XOR_CODE) $(srcsrc)/samhain_setpwd.c; \ +- $(COMPILE) -o samhain_setpwd x_samhain_setpwd.c; \ ++ $(COMPILE) $(LDFLAGS) -o samhain_setpwd x_samhain_setpwd.c; \ + rm x_samhain_setpwd.c + + samhain_stealth: encode config_xor.h $(srcsrc)/samhain_stealth.c +-- +2.11.0 + diff --git a/recipes-ids/samhain/files/samhain-avoid-searching-host-for-postgresql.patch b/recipes-ids/samhain/files/samhain-avoid-searching-host-for-postgresql.patch new file mode 100644 index 0000000..6bf67e0 --- /dev/null +++ b/recipes-ids/samhain/files/samhain-avoid-searching-host-for-postgresql.patch @@ -0,0 +1,134 @@ +From 3e2ca7e06b16ceff6d12beb5113312f6525df595 Mon Sep 17 00:00:00 2001 +From: Jackie Huang <jackie.huang@windriver.com> +Date: Thu, 14 Sep 2017 11:02:12 +0800 +Subject: [PATCH] configure.ac: avoid searching host for postgresql + +Upstream-Status: Inappropriate [cross compile specific] + +Signed-off-by: Jackie Huang <jackie.huang@windriver.com> +--- + configure.ac | 101 +++-------------------------------------------------------- + 1 file changed, 5 insertions(+), 96 deletions(-) + +diff --git a/configure.ac b/configure.ac +index a224c68..f658d53 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1278,90 +1278,11 @@ AC_ARG_WITH(database, + AC_DEFINE(WITH_POSTGRES) + AC_DEFINE(WITH_DATABASE) + # +- PGCONF="no" +- MY_PATH="${PATH}:/usr/local/bin:/usr/local/pgsql/bin" +- OLD_IFS="$IFS" +- IFS=":" +- for ff in ${MY_PATH} +- do +- if test -f "$ff/pg_config" +- then +- PGCONF="$ff/pg_config" +- fi +- done +- IFS="${OLD_IFS}" +- # +- # +- if test "x${PGCONF}" = "xno" +- then +- AC_MSG_CHECKING(for PostgreSQL in /usr/local/pgsql /usr/pgsql /usr/local /usr PGSQL_HOME) +- pgsql_directory="/usr/local/pgsql /usr/pgsql /usr/local /usr ${PGSQL_HOME}" +- for i in $pgsql_directory; do +- if test -r $i/include/pgsql/libpq-fe.h; then +- PGSQL_INC_DIR=$i/include +- PGSQL_DIR=$i +- # use AC_CHECK_HEADERS to check for pgsql/libpq-fe.h +- fi +- done +- if test -z "$PGSQL_DIR"; then +- for i in $pgsql_directory; do +- if test -r $i/include/postgresql/libpq-fe.h; then +- PGSQL_INC_DIR=$i/include +- PGSQL_DIR=$i +- fi +- done +- fi +- if test -z "$PGSQL_DIR"; then +- for i in $pgsql_directory; do +- if test -r $i/include/libpq-fe.h; then +- PGSQL_INC_DIR=$i/include +- PGSQL_DIR=$i +- fi +- done +- fi +- +- if test -z "$PGSQL_DIR"; then +- tmp="" +- for i in $pgsql_directory; do +- tmp="$tmp $i/include $i/include/pgsql $i/include/postgresql" +- done +- FAIL_MESSAGE("PostgreSQL header file (libpq-fe.h)", $tmp) +- fi +- +- for i in lib lib/pgsql lib/postgresql; do +- str="$PGSQL_DIR/$i/libpq.*" +- for j in `echo $str`; do +- if test -r $j; then +- PGSQL_LIB_DIR="$PGSQL_DIR/$i" +- break 2 +- fi +- done +- done +- +- if test -z "$PGSQL_LIB_DIR"; then +- for ff in $pgsql_directory; do +- for i in lib lib/pgsql lib/postgresql; do +- str="$ff/$i/libpq.*" +- for j in `echo $str`; do +- if test -r $j; then +- PGSQL_LIB_DIR="$ff/$i" +- break 3 +- fi +- done +- done +- done +- fi +- +- if test -z "$PGSQL_LIB_DIR"; then +- tmp="" +- for i in $pgsql_directory; do +- tmp="$i/lib $i/lib/pgsql $i/lib/postgresql" +- done +- FAIL_MESSAGE("postgresql library libpq", $tmp) +- fi +- +- AC_MSG_RESULT(yes) +- ++ if test -z "${PGSQL_LIB_DIR}" ; then ++ FAIL_MESSAGE("PGSQL_LIB_DIR is not set!") ++ elif test -z "${PGSQL_INC_DIR}" ; then ++ FAIL_MESSAGE("PGSQL_INC_DIR is not set!") ++ else + LIBS="$LIBS -L${PGSQL_LIB_DIR} -lpq -lm" + if test x"$enable_static" = xyes; then + LIBS="$LIBS -L${PGSQL_LIB_DIR} -lpq -lcrypt -lm" +@@ -1370,18 +1291,6 @@ AC_ARG_WITH(database, + fi + # CFLAGS="$CFLAGS -I${PGSQL_INC_DIR}" + CPPFLAGS="$CPPFLAGS -I${PGSQL_INC_DIR}" +- AC_CHECK_HEADERS(pgsql/libpq-fe.h) +- AC_CHECK_HEADERS(postgresql/libpq-fe.h) +- else +- pg_lib_dir=`${PGCONF} --libdir` +- if test x"$enable_static" = xyes; then +- LIBS="$LIBS -L${pg_lib_dir} -lpq -lcrypt -lm" +- else +- LIBS="$LIBS -L${pg_lib_dir} -lpq -lm" +- fi +- pg_inc_dir=`${PGCONF} --includedir` +- # CFLAGS="$CFLAGS -I${pg_inc_dir}" +- CPPFLAGS="$CPPFLAGS -I${pg_inc_dir}" + fi + elif test "x${withval}" = "xodbc"; then + AC_MSG_CHECKING(for odbc in /usr /usr/local ODBC_HOME) +-- +2.11.0 + diff --git a/recipes-ids/samhain/files/samhain-client.default b/recipes-ids/samhain/files/samhain-client.default new file mode 100644 index 0000000..9899577 --- /dev/null +++ b/recipes-ids/samhain/files/samhain-client.default @@ -0,0 +1,3 @@ +# Set this to "yes" to start the server, after you configure it, of +# course. +SAMHAIN_CLIENT_START="no"
\ No newline at end of file diff --git a/recipes-ids/samhain/files/samhain-client.init b/recipes-ids/samhain/files/samhain-client.init new file mode 100644 index 0000000..d5fabed --- /dev/null +++ b/recipes-ids/samhain/files/samhain-client.init @@ -0,0 +1,122 @@ +#!/bin/bash +# chkconfig: 2345 99 10 +# description: File Integrity Checking Daemon +# +# processname: samhain +# config : /etc/samhainrc +# logfile : /var/log/samhain_log +# database: /var/lib/samhain/samhain_file +# + +NAME=samhain +DAEMON=/usr/sbin/samhain +RETVAL=0 +PIDFILE=/var/run/samhain.pid + +. /etc/default/rcS + +. /etc/default/samhain-client + +if [ "x$SAMHAIN_CLIENT_START" != "xyes" ]; then + echo "${0}: client disabled in /etc/default/samhain-client" + exit 0 +fi + +if [ -x $DAEMON ]; then + : +else + echo "${0}: executable ${DAEMON} not found" + exit 1 +fi + +if [ ! -e /var/lib/samhain/samhain_file ]; then + echo "${0}: /var/lib/samhain/samhain_file does not exist. You must" + echo " run 'samhain -t init' before samhian-client can start." + exit 1 +fi + +samhain_done() +{ + if [ $RETVAL -eq 0 ]; then + echo "." + else + echo " failed." + fi +} + +log_stat_msg () { +case "$1" in + 0) + echo "Service $NAME: Running"; + ;; + 1) + echo "Service $NAME: Stopped and /var/run pid file exists"; + ;; + 3) + echo "Service $NAME: Stopped"; + ;; + *) + echo "Service $NAME: Status unknown"; + ;; +esac +} + +case "$1" in + start) + # + # Remove a stale PID file, if found + # + if test -f ${PIDFILE}; then + /bin/rm -f ${PIDFILE} + fi + # + echo -n "Starting ${NAME}" + start-stop-daemon --start --quiet --exec $DAEMON + RETVAL=$? + samhain_done + ;; + + stop) + echo -n "Stopping $NAME" + start-stop-daemon --stop --quiet --exec $DAEMON + RETVAL=$? + + # + # Remove a stale PID file, if found + # + if test -f ${PIDFILE}; then + /bin/rm -f ${PIDFILE} + fi + if test -S /var/run/${NAME}.sock; then + /bin/rm -f /var/run/${NAME}.sock + fi + samhain_done + ;; + + restart) + $0 stop + sleep 3 + $0 start + RETVAL=$? + ;; + + reload|force-reload) + echo -n "Reloading $NAME configuration files" + start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON + RETVAL=$? + samhain_done + ;; + + status) + $DAEMON status + RETVAL=$? + log_stat_msg ${RETVAL} + ;; + + *) + echo "$0 usage: {start|stop|status|restart|reload}" + exit 1 + ;; +esac + +exit $RETVAL diff --git a/recipes-ids/samhain/files/samhain-configure-add-option-for-ps.patch b/recipes-ids/samhain/files/samhain-configure-add-option-for-ps.patch new file mode 100644 index 0000000..8de0735 --- /dev/null +++ b/recipes-ids/samhain/files/samhain-configure-add-option-for-ps.patch @@ -0,0 +1,108 @@ +From 02a143f0068cbc6cea71359169210fbb3606d4bb Mon Sep 17 00:00:00 2001 +From: Jackie Huang <jackie.huang@windriver.com> +Date: Mon, 18 Jan 2016 00:24:57 -0500 +Subject: [PATCH] configure: add option for ps + +The configure searches hardcoded host paths for PSPATH +and run ps commands to decide PSARG which will fail +on host without ps: +| configure: error: Cannot find ps in any of /usr/ucb /bin /usr/bin + +So add an option so we can specify the ps at configure +to avoid host contamination. + +Upstream-Status: Inappropriate [cross compile specific] + +Signed-off-by: Jackie Huang <jackie.huang@windriver.com> +--- + aclocal.m4 | 2 +- + configure.ac | 60 ++++++++++-------------------------------------------------- + 2 files changed, 11 insertions(+), 51 deletions(-) + +diff --git a/aclocal.m4 b/aclocal.m4 +index a2e59a6..cd20a2f 100644 +--- a/aclocal.m4 ++++ b/aclocal.m4 +@@ -409,7 +409,7 @@ x_includes=NONE + x_libraries=NONE + DESTDIR= + SH_ENABLE_OPTS="selinux posix-acl asm ssp db-reload xml-log message-queue login-watch process-check port-check mounts-check logfile-monitor userfiles debug ptrace static network udp nocl stealth micro-stealth install-name identity khide suidcheck base largefile mail external-scripts encrypt srp dnmalloc ipv6 shellexpand suid" +-SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file" ++SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file ps-path" + + # Installation directory options. + # These are left unexpanded so users can "make install exec_prefix=/foo" +diff --git a/configure.ac b/configure.ac +index 5910b1f..8c3e087 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -730,56 +730,16 @@ then + fi + AC_CHECK_HEADERS(gmp.h) + +-AC_MSG_CHECKING([for ps]) +-PS= +-for ff in /usr/ucb /bin /usr/bin; do +- if test -x "$ff/ps"; then +- PS="$ff/ps" +- AC_MSG_RESULT([$PS]) +- break +- fi +-done +-if test x$PS = x +-then +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([Cannot find ps in any of /usr/ucb /bin /usr/bin]) +-fi +-AC_DEFINE_UNQUOTED([PSPATH], _("$PS"), [Path to ps]) +- +-AC_MSG_CHECKING([how to use ps]) +-$PS ax >/dev/null 2>&1 +-if test $? -eq 0; then +- case "$host_os" in +- *openbsd*) +- one=`$PS akx | wc -l` +- ;; +- *) +- one=`$PS ax | wc -l` +- ;; +- esac +-else +- one=0 +-fi +-$PS -e >/dev/null 2>&1 +-if test $? -eq 0; then +- two=`$PS -e | wc -l` +-else +- two=0 +-fi +-if test $one -ge $two +-then +- case "$host_os" in +- *openbsd*) +- PSARG="akx" +- ;; +- *) +- PSARG="ax" +- ;; +- esac +-else +- PSARG="-e" +-fi +-AC_DEFINE_UNQUOTED([PSARG], _("$PSARG"), [Argument for ps]) ++AC_ARG_WITH(ps-path, ++ [ --with-ps-path=PATH set path to ps command ], ++ [ ++ if test "x${withval}" != xno; then ++ pspath="${withval}" ++ AC_DEFINE_UNQUOTED([PSPATH], _("${pspath}"), [Path to ps]) ++ AC_DEFINE_UNQUOTED([PSARG], _("ax"), [Argument for ps]) ++ fi ++ ]) ++ + AC_MSG_RESULT([$PS $PSARG]) + + dnl ***************************************** +-- +1.9.1 + diff --git a/recipes-ids/samhain/files/samhain-cross-compile.patch b/recipes-ids/samhain/files/samhain-cross-compile.patch new file mode 100644 index 0000000..7f80a5c --- /dev/null +++ b/recipes-ids/samhain/files/samhain-cross-compile.patch @@ -0,0 +1,51 @@ +From f63908427b2adb1792c59edbe38618e14ef5bc7b Mon Sep 17 00:00:00 2001 +From: Jackie Huang <jackie.huang@windriver.com> +Date: Fri, 15 Jan 2016 00:48:58 -0500 +Subject: [PATCH] Enable obfuscating binaries natively. + +Enable obfuscating binaries natively. + +The samhain build process involves an obfuscation step that attempts to +defeat decompilation or other binary analysis techniques which might reveal +secret information that should be known only to the system administrator. +The obfuscation step builds several applications which run on the build host +and then generate target code, which is then built into target binaries. + +This patch creates a basic infrastructure that supports building the +obfuscation binaries natively then cross-compiling the target code by adding +a special configure option. In the absence of this option the old behaviour +is preserved. + +Upstream-Status: Inappropriate [cross compile specific] + +Signed-off-by: Aws Ismail <aws.ismail@windriver.com> +Signed-off-by: Jackie Huang <jackie.huang@windriver.com> +--- + Makefile.in | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/Makefile.in b/Makefile.in +index 684e92b..fb090e2 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -54,7 +54,7 @@ selectconfig = @selectconfig@ + top_builddir = . + + INSTALL = @INSTALL@ +-INSTALL_PROGRAM = @INSTALL@ -s -m 700 ++INSTALL_PROGRAM = @INSTALL@ -m 700 + INSTALL_SHELL = @INSTALL@ -m 700 + INSTALL_DATA = @INSTALL@ -m 600 + INSTALL_MAN = @INSTALL@ -m 644 +@@ -525,8 +525,6 @@ install-program: $(PROGRAMS) sstrip + echo " $(INSTALL_PROGRAM) $$p $$target"; \ + $(INSTALL_PROGRAM) $$p $$target; \ + chmod 0700 $$target; \ +- echo " ./sstrip $$target"; \ +- ./sstrip $$target; \ + else \ + echo " $(INSTALL_SHELL) $$p $$target"; \ + $(INSTALL_SHELL) $$p $$target; \ +-- +1.9.1 + diff --git a/recipes-ids/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch b/recipes-ids/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch new file mode 100644 index 0000000..0608660 --- /dev/null +++ b/recipes-ids/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch @@ -0,0 +1,44 @@ +commit 0f6bdc219e598de08a3f37887efa5dfa50e2b996 +Author: Aws Ismail <aws.ismail@windriver.com> +Date: Fri Jun 22 15:47:08 2012 -0400 + +Hash fix for MIPS64 and AARCH64 + +Samhain uses the addresses of local variables in generating hash +values. The hashing function is designed only for 32-bit values. +For MIPS64 when a 64-bit address is passed in the resulting hash +exceeds the limits of the underlying mechanism and samhain +ultimately fails. The solution is to simply take the lower +32-bits of the address and use that in generating hash values. + +Signed-off-by: Greg Moffatt <greg.moffatt@windriver.com> + +Upstream-Status: Pending + +Signed-off-by: Aws Ismail <aws.ismail@windriver.com> +Signed-off-by: Jackie Huang <jackie.huang@windriver.com> + +diff --git a/src/dnmalloc.c b/src/dnmalloc.c +index da9a5c5..fc91400 100644 +--- a/src/dnmalloc.c ++++ b/src/dnmalloc.c +@@ -2703,11 +2703,19 @@ static void freecilst_add(chunkinfoptr p) { + } + + /* Calculate the hash table entry for a chunk */ ++#if defined(CONFIG_ARCH_MIPS64) || defined(CONFIG_ARCH_AARCH64) ++#ifdef STARTHEAP_IS_ZERO ++#define hash(p) ((((unsigned long) p) & 0x7fffffff) >> 7) ++#else ++#define hash(p) ((((unsigned long) p - (unsigned long) startheap) & 0x7fffffff) >> 7) ++#endif ++#else + #ifdef STARTHEAP_IS_ZERO + #define hash(p) (((unsigned long) p) >> 7) + #else + #define hash(p) (((unsigned long) p - (unsigned long) startheap) >> 7) + #endif ++#endif /* CONFIG_ARCH_MIPS64 */ + + static void + hashtable_add (chunkinfoptr ci) diff --git a/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch b/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch new file mode 100644 index 0000000..5284313 --- /dev/null +++ b/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch @@ -0,0 +1,24 @@ +not run test on host, since we are doing cross-compile + +Upstream-status: Inappropriate [cross compile specific] + +Signed-off-by: Roy Li <rongqing.li@windriver.com> +--- + Makefile.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/Makefile.in b/Makefile.in +index e1b32a8..74bfdc9 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -1234,7 +1234,6 @@ intcutest: internal.h $(OBJECTS) $(CUTEST_OBJECTS) sh_tiger_i.o $(srcsrc)/CuTest + rm x_samhain.c; \ + $(LINK) sh_tiger_i.o $(CUTEST_OBJECTS) CuTestMain.o CuTest.o $(OBJECTS) $(LIBS_TRY); \ + test -f ./intcutest && mv ./intcutest ./cutest; \ +- ./cutest + + runcutest: + gdb ./cutest +-- +1.7.10.4 + diff --git a/recipes-ids/samhain/files/samhain-pid-path.patch b/recipes-ids/samhain/files/samhain-pid-path.patch new file mode 100644 index 0000000..592bd16 --- /dev/null +++ b/recipes-ids/samhain/files/samhain-pid-path.patch @@ -0,0 +1,27 @@ +commit a932b03b65edeb02ccad2fce06bfa68a8f2fbb04 +Author: Aws Ismail <aws.ismail@windriver.com> +Date: Thu Jan 10 16:29:05 2013 -0500 + + Set the PID Lock path for samhain.pid + + The explicit path for samhain.pid inorder + for samhain to work properly after it initial + database build. + + Upstream-Status: Inappropriate [configuration] + + Signed-off-by: Aws Ismail <aws.ismail@windriver.com> + +diff --git a/samhainrc.linux b/samhainrc.linux +index 10a8176..a7b06e6 100644 +--- a/samhainrc.linux ++++ b/samhainrc.linux +@@ -639,7 +639,7 @@ SetFileCheckTime = 86400 + + ## Path to the PID file + # +-# SetLockfilePath = (default: compiled-in) ++SetLockfilePath = /run/samhain.pid + + + ## The digest/checksum/hash algorithm diff --git a/recipes-ids/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch b/recipes-ids/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch new file mode 100644 index 0000000..dad6b15 --- /dev/null +++ b/recipes-ids/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch @@ -0,0 +1,61 @@ +From 00fb527e45da42550156197647e01de9a6b1ad52 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan <wenzong.fan@windriver.com> +Date: Mon, 3 Mar 2014 01:50:01 -0500 +Subject: [PATCH] fix real path for some files/dirs + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +--- + samhainrc.linux | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/samhainrc.linux b/samhainrc.linux +index e9727b4..7775d83 100644 +--- a/samhainrc.linux ++++ b/samhainrc.linux +@@ -93,7 +93,6 @@ dir = 99/etc + ## + file = /etc/mtab + file = /etc/fstab +-file = /etc/adjtime + file = /etc/motd + file = /etc/lvm/lvm.conf + +@@ -153,11 +152,11 @@ dir = 99/var + + [IgnoreAll] + dir = -1/var/cache +-dir = -1/var/lock +-dir = -1/var/mail +-dir = -1/var/run ++dir = -1/run/lock ++dir = -1/var/spool/mail ++dir = -1/run + dir = -1/var/spool +-dir = -1/var/tmp ++dir = -1/var/volatile/tmp + + + [Attributes] +@@ -167,7 +166,7 @@ dir = -1/var/tmp + file = /var/lib/rpm/__db.00? + + file = /var/lib/logrotate.status +-file = /var/lib/random-seed ++file = /var/lib/urandom/random-seed + + + [GrowingLogFiles] +@@ -176,7 +175,7 @@ file = /var/lib/random-seed + ## are ignored. Logfile rotation will cause a report because of shrinking + ## size and different inode. + ## +-dir = 99/var/log ++dir = 99/var/volatile/log + + [Attributes] + # +-- +1.7.9.5 + diff --git a/recipes-ids/samhain/files/samhain-samhainrc.patch b/recipes-ids/samhain/files/samhain-samhainrc.patch new file mode 100644 index 0000000..145700a --- /dev/null +++ b/recipes-ids/samhain/files/samhain-samhainrc.patch @@ -0,0 +1,158 @@ +commit 4c6658441eb3ffc4e51ed70f78cbdab046957580 +Author: Aws Ismail <aws.ismail@windriver.com> +Date: Fri Jun 22 16:38:20 2012 -0400 + +Make samhainrc OE-friendly. + +Patch the samhainrc that will be installed +as part of the 'make install' step to more +accurately reflect what will be found, and +what will be of concern, on a OE install. + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Aws Ismail <aws.ismail@windriver.com> + +diff --git a/samhainrc.linux b/samhainrc.linux +index 9bc5ca4..10a8176 100644 +--- a/samhainrc.linux ++++ b/samhainrc.linux +@@ -74,7 +74,6 @@ dir = 0/ + [Attributes] + file = /tmp + file = /dev +-file = /media + file = /proc + file = /sys + +@@ -93,19 +92,10 @@ dir = 99/etc + ## check permission and ownership + ## + file = /etc/mtab ++file = /etc/fstab + file = /etc/adjtime + file = /etc/motd +-file = /etc/lvm/.cache +- +-# On Ubuntu, these are in /var/lib rather than /etc +-file = /etc/cups/certs +-file = /etc/cups/certs/0 +- +-# managed by fstab-sync on Fedora Core +-file = /etc/fstab +- +-# modified when booting +-file = /etc/sysconfig/hwconf ++file = /etc/lvm/lvm.conf + + # There are files in /etc that might change, thus changing the directory + # timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'. +@@ -147,10 +137,6 @@ dir = 99/dev + ## + dir = -1/dev/pts + +-# dir = -1/dev/.udevdb +- +-file = /dev/ppp +- + # + # --------- /usr ----------- + # +@@ -167,50 +153,21 @@ dir = 99/var + + [IgnoreAll] + dir = -1/var/cache +-dir = -1/var/backups +-dir = -1/var/games +-dir = -1/var/gdm + dir = -1/var/lock + dir = -1/var/mail + dir = -1/var/run + dir = -1/var/spool + dir = -1/var/tmp +-dir = -1/var/lib/texmf +-dir = -1/var/lib/scrollkeeper + + + [Attributes] + +-dir = /var/lib/nfs +-dir = /var/lib/pcmcia +- + # /var/lib/rpm changes if packets are installed; + # /var/lib/rpm/__db.00[123] even more frequently + file = /var/lib/rpm/__db.00? + +-file = /var/lib/acpi-support/vbestate +-file = /var/lib/alsa/asound.state +-file = /var/lib/apt/lists/lock +-file = /var/lib/apt/lists/partial +-file = /var/lib/cups/certs +-file = /var/lib/cups/certs/0 +-file = /var/lib/dpkg/lock +-file = /var/lib/gdm +-file = /var/lib/gdm/.cookie +-file = /var/lib/gdm/.gdmfifo +-file = /var/lib/gdm/:0.Xauth +-file = /var/lib/gdm/:0.Xservers +-file = /var/lib/logrotate/status +-file = /var/lib/mysql +-file = /var/lib/mysql/ib_logfile0 +-file = /var/lib/mysql/ibdata1 +-file = /var/lib/slocate +-file = /var/lib/slocate/slocate.db +-file = /var/lib/slocate/slocate.db.tmp +-file = /var/lib/urandom +-file = /var/lib/urandom/random-seed ++file = /var/lib/logrotate.status + file = /var/lib/random-seed +-file = /var/lib/xkb + + + [GrowingLogFiles] +@@ -325,7 +282,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp + + ## Console + ## +-# PrintSeverity=info ++PrintSeverity=warn + + ## Logfile + ## +@@ -333,7 +290,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp + + ## Syslog + ## +-# SyslogSeverity=none ++SyslogSeverity=info + + ## Remote server (yule) + ## +@@ -556,7 +513,8 @@ ChecksumTest=check + ## and I/O limit (kilobytes per second; 0 == off) + ## to reduce load on host. + # +-# SetNiceLevel = 0 ++# By default we configure samhain to be nice with everything else on the system ++SetNiceLevel = 10 + # SetIOLimit = 0 + + ## The version string to embed in file signature databases +@@ -565,13 +523,14 @@ ChecksumTest=check + + ## Interval between time stamp messages + # +-# SetLoopTime = 60 +-SetLoopTime = 600 ++# Log a timestamp every hour ++SetLoopTime = 3600 + + ## Interval between file checks + # + # SetFileCheckTime = 600 +-SetFileCheckTime = 7200 ++# One file system check per day ++SetFileCheckTime = 86400 + + ## Alternative: crontab-like schedule + # diff --git a/recipes-ids/samhain/files/samhain-server-volatiles b/recipes-ids/samhain/files/samhain-server-volatiles new file mode 100644 index 0000000..6b80709 --- /dev/null +++ b/recipes-ids/samhain/files/samhain-server-volatiles @@ -0,0 +1 @@ +d daemon daemon 0775 /var/log/yule none diff --git a/recipes-ids/samhain/files/samhain-server.default b/recipes-ids/samhain/files/samhain-server.default new file mode 100644 index 0000000..bc3d67c --- /dev/null +++ b/recipes-ids/samhain/files/samhain-server.default @@ -0,0 +1,3 @@ +# Set this to "yes" to start the server, after you configure it, of +# course. +SAMHAIN_SERVER_START="no"
\ No newline at end of file diff --git a/recipes-ids/samhain/files/samhain-server.init b/recipes-ids/samhain/files/samhain-server.init new file mode 100644 index 0000000..c456e51 --- /dev/null +++ b/recipes-ids/samhain/files/samhain-server.init @@ -0,0 +1,116 @@ +#!/bin/bash +# chkconfig: 2345 98 11 +# description: File Integrity Checking Daemon +# +# processname: yule +# config : /etc/yulerc +# logfile : /var/log/yule/yule_log +# database: /var/lib/yule/yule_file +# + +NAME=yule +DAEMON=/usr/sbin/yule +RETVAL=0 +PIDFILE=/var/run/yule.pid + +. /etc/default/rcS + +. /etc/default/samhain-server + +if [ "x$SAMHAIN_SERVER_START" != "xyes" ]; then + echo "${0}: server disabled in /etc/default/samhain-server" + exit 0 +fi + +if [ -x $DAEMON ]; then + : +else + echo "${0}: executable ${DAEMON} not found" + exit 1 +fi + +samhain_done() +{ + if [ $RETVAL -eq 0 ]; then + echo "." + else + echo " failed." + fi +} + +log_stat_msg () { +case "$1" in + 0) + echo "Service $NAME: Running"; + ;; + 1) + echo "Service $NAME: Stopped and /var/run pid file exists"; + ;; + 3) + echo "Service $NAME: Stopped"; + ;; + *) + echo "Service $NAME: Status unknown"; + ;; +esac +} + +case "$1" in + start) + # + # Remove a stale PID file, if found + # + if test -f ${PIDFILE}; then + /bin/rm -f ${PIDFILE} + fi + # + echo -n "Starting ${NAME}" + start-stop-daemon --start --quiet --exec $DAEMON + RETVAL=$? + samhain_done + ;; + + stop) + echo -n "Stopping $NAME" + start-stop-daemon --stop --quiet --exec $DAEMON + RETVAL=$? + + # + # Remove a stale PID file, if found + # + if test -f ${PIDFILE}; then + /bin/rm -f ${PIDFILE} + fi + if test -S /var/run/${NAME}.sock; then + /bin/rm -f /var/run/${NAME}.sock + fi + samhain_done + ;; + + restart) + $0 stop + sleep 3 + $0 start + RETVAL=$? + ;; + + reload|force-reload) + echo -n "Reloading $NAME configuration files" + start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON + RETVAL=$? + samhain_done + ;; + + status) + $DAEMON status + RETVAL=$? + log_stat_msg ${RETVAL} + ;; + + *) + echo "$0 usage: {start|stop|status|restart|reload}" + exit 1 + ;; +esac + +exit $RETVAL diff --git a/recipes-ids/samhain/files/samhain-sha256-big-endian.patch b/recipes-ids/samhain/files/samhain-sha256-big-endian.patch new file mode 100644 index 0000000..3065c73 --- /dev/null +++ b/recipes-ids/samhain/files/samhain-sha256-big-endian.patch @@ -0,0 +1,22 @@ +samhain: fix sha256 for big-endian machines + +After computing the digest, big-endian machines would +memset() the digest to the first byte of state instead +of using memcpy() to transfer it. + +Upstream-Status: Pending + +Signed-off-by: Joe Slater <jslater@windriver.com> + + +--- a/src/sh_checksum.c ++++ b/src/sh_checksum.c +@@ -468,7 +468,7 @@ void SHA256_Final(sha2_byte digest[], SH + } + } + #else +- memset(d, context->state, SHA256_DIGEST_LENGTH); ++ memcpy(d, context->state, SHA256_DIGEST_LENGTH); + /* bcopy(context->state, d, SHA256_DIGEST_LENGTH); */ + #endif + } diff --git a/recipes-ids/samhain/files/samhain-standalone.default b/recipes-ids/samhain/files/samhain-standalone.default new file mode 100644 index 0000000..507a59f --- /dev/null +++ b/recipes-ids/samhain/files/samhain-standalone.default @@ -0,0 +1,3 @@ +# Set this to "yes" to start the server, after you configure it, of +# course. +SAMHAIN_STANDALONE_START="no" diff --git a/recipes-ids/samhain/files/samhain-standalone.init b/recipes-ids/samhain/files/samhain-standalone.init new file mode 100644 index 0000000..2f23bff --- /dev/null +++ b/recipes-ids/samhain/files/samhain-standalone.init @@ -0,0 +1,123 @@ +#!/bin/sh +# chkconfig: 2345 99 10 +# description: File Integrity Checking Daemon +# +# processname: samhain +# config : /etc/samhainrc +# logfile : /var/log/samhain_log +# database: /var/lib/samhain/samhain_file +# + +NAME=samhain +DAEMON=/usr/sbin/samhain +RETVAL=0 +VERBOSE=yes +PIDFILE=/var/run/samhain.pid + +. /etc/default/samhain-standalone + +if [ "x$SAMHAIN_STANDALONE_START" != "xyes" ]; then + echo "${0}: samhain disabled in /etc/default/samhain-standalone" + exit 0 +fi + +if [ -x $DAEMON ]; then + : +else + echo "${0}: executable ${DAEMON} not found" + exit 1 +fi + +if [ ! -e /var/lib/samhain/samhain_file ]; then + echo "${0}: /var/lib/samhain/samhain_file does not exist. You must" + echo " run 'samhain -t init' before samhian can start." + exit 1 +fi + +samhain_done() +{ + if [ $RETVAL -eq 0 ]; then + echo "." + else + echo " failed." + fi +} + +log_stat_msg () { +case "$1" in + 0) + echo "Service $NAME: Running"; + ;; + 1) + echo "Service $NAME: Stopped and /var/run pid file exists"; + ;; + 3) + echo "Service $NAME: Stopped"; + ;; + *) + echo "Service $NAME: Status unknown"; + ;; +esac +} + +case "$1" in + start) + # + # Remove a stale PID file, if found + # + if test -f ${PIDFILE}; then + /bin/rm -f ${PIDFILE} + fi + + echo -n "Starting ${NAME}" + start-stop-daemon --start --quiet --exec $DAEMON + RETVAL=$? + samhain_done + exit $RETVAL + ;; + stop) + echo -n "Stopping $NAME" + start-stop-daemon --stop --quiet --exec $DAEMON + RETVAL=$? + samhain_done + # + # Remove a stale PID file, if found + # + if test -f ${PIDFILE}; then + /bin/rm -f ${PIDFILE} + fi + if test -S /var/run/${NAME}.sock; then + /bin/rm -f /var/run/${NAME}.sock + fi + ;; + + restart) + $0 stop + sleep 3 + $0 start + RETVAL=$? + ;; + + reload|force-reload) + echo -n "Reloading $NAME configuration files" + start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON + RETVAL=$? + samhain_done + ;; + + status) + if pidof -o %PPID $DAEMON > /dev/null; then + echo "Samhain running" + RETVAL=0 + else + echo "Samhain not running" + RETVAL=1 + fi + ;; + *) + echo "$0 usage: {start|stop|status|restart|reload}" + exit 1 + ;; +esac + +exit $RETVAL diff --git a/recipes-ids/samhain/files/samhain.service b/recipes-ids/samhain/files/samhain.service new file mode 100644 index 0000000..e4f216a --- /dev/null +++ b/recipes-ids/samhain/files/samhain.service @@ -0,0 +1,12 @@ +[Unit] +Description=Samhain @MODE_NAME@ Daemon +After=syslog.target network.target + +[Service] +Type=forking +RemainAfterExit=yes +ExecStart=@LIBDIR@/@SAMHAIN_HELPER@ start +ExecStop=@LIBDIR@/@SAMHAIN_HELPER@ stop + +[Install] +WantedBy=multi-user.target diff --git a/recipes-ids/samhain/samhain-client_4.3.2.bb b/recipes-ids/samhain/samhain-client_4.3.2.bb new file mode 100644 index 0000000..812408e --- /dev/null +++ b/recipes-ids/samhain/samhain-client_4.3.2.bb @@ -0,0 +1,11 @@ +INITSCRIPT_PARAMS = "defaults 15 85" + +require samhain.inc + +# Let the default Logserver be 127.0.0.1 +EXTRA_OECONF += " \ + --with-logserver=${SAMHAIN_SERVER} \ + --with-port=${SAMHAIN_PORT} \ + " + +RDEPENDS_${PN} = "acl zlib attr bash" diff --git a/recipes-ids/samhain/samhain-server_4.3.2.bb b/recipes-ids/samhain/samhain-server_4.3.2.bb new file mode 100644 index 0000000..9341d44 --- /dev/null +++ b/recipes-ids/samhain/samhain-server_4.3.2.bb @@ -0,0 +1,20 @@ +INITSCRIPT_PARAMS = "defaults 14 86" + +require samhain.inc + +DEPENDS = "gmp" + +SRC_URI += "file://samhain-server-volatiles" + +TARGET_CC_ARCH += "${LDFLAGS}" + +do_install_append() { + install -d ${D}${sysconfdir}/default/volatiles + install -m 0644 ${WORKDIR}/samhain-server-volatiles \ + ${D}${sysconfdir}/default/volatiles/samhain-server + + install -m 700 samhain-install.sh init/samhain.startLinux \ + init/samhain.startLSB ${D}/var/lib/samhain +} + +RDEPENDS_${PN} += "gmp bash perl" diff --git a/recipes-ids/samhain/samhain-standalone_4.3.2.bb b/recipes-ids/samhain/samhain-standalone_4.3.2.bb new file mode 100644 index 0000000..4fed9e9 --- /dev/null +++ b/recipes-ids/samhain/samhain-standalone_4.3.2.bb @@ -0,0 +1,31 @@ +require samhain.inc + +SRC_URI += "file://samhain-not-run-ptest-on-host.patch \ + file://run-ptest \ +" + +PROVIDES += "samhain" + +SYSTEMD_SERVICE_${PN} = "samhain.service" + +inherit ptest + +do_compile() { + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'yes', 'no', d)}" = "yes" ]; then + oe_runmake cutest + rm -f ${S}*.o config_xor.h internal.h + fi + oe_runmake "$@" +} + +do_install_append() { + ln -sf ${INITSCRIPT_NAME} ${D}${sysconfdir}/init.d/samhain +} + +do_install_ptest() { + mkdir -p ${D}${PTEST_PATH} + install ${S}/cutest ${D}${PTEST_PATH} +} + +RPROVIDES_${PN} += "samhain" +RCONFLICTS_${PN} = "samhain-client samhain-server" diff --git a/recipes-ids/samhain/samhain.inc b/recipes-ids/samhain/samhain.inc new file mode 100644 index 0000000..1b9af39 --- /dev/null +++ b/recipes-ids/samhain/samhain.inc @@ -0,0 +1,163 @@ +DESCRIPTION = "Provides file integrity checking and log file monitoring/analysis" +HOMEPAGE = "http://www.la-samhna.de/samhain/" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b" + + +SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ + file://samhain-cross-compile.patch \ + file://samhain-mips64-aarch64-dnmalloc-hash-fix.patch \ + file://samhain-samhainrc.patch \ + file://samhain-samhainrc-fix-files-dirs-path.patch \ + file://samhain-pid-path.patch \ + file://samhain-sha256-big-endian.patch \ + file://samhain-configure-add-option-for-ps.patch \ + file://samhain-avoid-searching-host-for-postgresql.patch \ + file://samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch \ + file://${INITSCRIPT_NAME}.init \ + file://${INITSCRIPT_NAME}.default \ + file://samhain.service \ + " + +SRC_URI[md5sum] = "eae4674164d7c78f5bb39c72b7029c8b" +SRC_URI[sha256sum] = "0582864ef56ab796031e8e611ed66c48adeb3a30ec34e1a8d0088572442035fc" + +UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html" +UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar" + +S = "${WORKDIR}/samhain-${PV}" + +inherit autotools-brokensep update-rc.d pkgconfig systemd + +SAMHAIN_PORT ??= "49777" +SAMHAIN_SERVER ??= "NULL" + +INITSCRIPT_NAME = "${BPN}" +INITSCRIPT_PARAMS ?= "defaults" + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE_${PN} = "${INITSCRIPT_NAME}.service" +SYSTEMD_AUTO_ENABLE = "disable" + +# mode mapping: +# BPN MODE_NAME SAMHAIN_MODE +# samhain-standalone standalone no +# samhain-client client client +# samhain-server server server +MODE_NAME = "${@d.getVar('BPN').split('-')[1]}" +SAMHAIN_MODE = "${@oe.utils.ifelse(d.getVar('MODE_NAME') == 'standalone', 'no', '${MODE_NAME}')}" + +# supports mysql|postgresql|oracle|odbc but postgresql is the only one available + +PACKAGECONFIG ??= "postgresql ps \ + ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'acl', 'acl', '', d)} \ +" + +PACKAGECONFIG[postgresql] = "--with-database=postgresql --enable-xml-log PGSQL_INC_DIR=${STAGING_INCDIR} PGSQL_LIB_DIR=${STAGING_LIBDIR}, , postgresql" +PACKAGECONFIG[suidcheck] = "--enable-suidcheck, , " +PACKAGECONFIG[logwatch] = "--enable-login-watch, , " +PACKAGECONFIG[mounts] = "--enable-mounts-check, , " +PACKAGECONFIG[userfiles] = "--enable-userfiles, , " +PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," +PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux attr" +PACKAGECONFIG[acl] = " --enable-posix-acl , --disable-posix-acl, acl" +PACKAGECONFIG[audit] = "ac_cv_header_auparse_h=yes,ac_cv_header_auparse_h=no,audit" +PACKAGECONFIG[ps] = "--with-ps-path=${base_bindir}/ps,,,procps" + +do_unpack_samhain() { + cd ${WORKDIR} + tar -xzvf samhain-${PV}.tar.gz +} + +python do_unpack_append() { + bb.build.exec_func('do_unpack_samhain', d) +} + +do_configure_prepend_arm() { + export sh_cv___va_copy=yes +} + +do_configure_prepend_aarch64() { + export sh_cv___va_copy=yes +} + +# If we use oe_runconf in do_configure() it will by default +# use the prefix --oldincludedir=/usr/include which is not +# recognized by Samhain's configure script and would invariably +# throw back the error "unrecognized option: --oldincludedir=/usr/include" +do_configure_prepend () { + cat << EOF > ${S}/config-site.${BP} +ssp_cv_lib=no +sh_cv_va_copy=yes +EOF + export CONFIG_SITE=${S}/config-site.${BP} +} + +do_configure () { + autoconf -f + ./configure \ + --build=${BUILD_SYS} \ + --host=${HOST_SYS} \ + --target=${TARGET_SYS} \ + --prefix=${prefix} \ + --exec_prefix=${exec_prefix} \ + --bindir=${bindir} \ + --sbindir=${sbindir} \ + --libexecdir=${libexecdir} \ + --datadir=${datadir} \ + --sysconfdir=${sysconfdir} \ + --sharedstatedir=${sharedstatedir} \ + --localstatedir=${localstatedir} \ + --libdir=${libdir} \ + --includedir=${includedir} \ + --infodir=${infodir} \ + --mandir=${mandir} \ + --enable-network=${SAMHAIN_MODE} \ + --with-pid-file=${localstatedir}/run/samhain.pid \ + --with-data-file=${localstatedir}/lib/samhain/samhain_file \ + --disable-dnmalloc \ + ${EXTRA_OECONF} +} + +do_compile_prepend_libc-musl () { + sed -i 's/^#define HAVE_MALLOC_H.*//' ${B}/config.h +} + +# Install the init script, it's default file, and the extraneous +# documentation. +do_install_append () { + oe_runmake install DESTDIR='${D}' INSTALL=install-boot + + install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.init \ + ${D}${sysconfdir}/init.d/${INITSCRIPT_NAME} + + install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.default \ + ${D}${sysconfdir}/default/${INITSCRIPT_NAME} + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + if [ "${SAMHAIN_MODE}" = "no" ]; then + install -D -m 0644 ${WORKDIR}/samhain.service ${D}/${systemd_system_unitdir}/samhain.service + else + install -D -m 0644 ${WORKDIR}/samhain.service ${D}/${systemd_system_unitdir}/${BPN}.service + fi + install -D -m 0755 ${WORKDIR}/${BPN}.init ${D}/${libexecdir}/${BPN} + sed -i -e 's,@LIBDIR@,${libexecdir},' \ + -e 's,@SAMHAIN_HELPER@,${BPN},' \ + -e 's,@MODE_NAME@,${MODE_NAME},' \ + ${D}${systemd_system_unitdir}/samhain*.service + fi + + install -d ${D}${docdir}/${BPN} + cp -r docs/* ${D}${docdir}/${BPN} + cp -r scripts ${D}${docdir}/${BPN} + install -d -m 755 ${D}${localstatedir}/samhain + + # Prevent QA warnings about installed ${localstatedir}/run + if [ -d ${D}${localstatedir}/run ]; then + rmdir ${D}${localstatedir}/run + fi +} + +FILES_${PN} += "${systemd_system_unitdir}" diff --git a/recipes-ids/suricata/files/emerging.rules.tar.gz b/recipes-ids/suricata/files/emerging.rules.tar.gz Binary files differnew file mode 100644 index 0000000..aed3754 --- /dev/null +++ b/recipes-ids/suricata/files/emerging.rules.tar.gz diff --git a/recipes-ids/suricata/files/no_libhtp_build.patch b/recipes-ids/suricata/files/no_libhtp_build.patch new file mode 100644 index 0000000..2ebf021 --- /dev/null +++ b/recipes-ids/suricata/files/no_libhtp_build.patch @@ -0,0 +1,38 @@ +Upstream-Status: Inappropriate [configuration] + +Signed-of_by: Armin Kuster <akuster808@gmail.com> + +Index: suricata-2.0.5/Makefile.am +=================================================================== +--- suricata-2.0.5.orig/Makefile.am ++++ suricata-2.0.5/Makefile.am +@@ -5,7 +5,7 @@ ACLOCAL_AMFLAGS = -I m4 + EXTRA_DIST = ChangeLog COPYING LICENSE suricata.yaml.in \ + classification.config threshold.config \ + reference.config +-SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts ++SUBDIRS = src qa rules doc contrib scripts + + CLEANFILES = stamp-h[0-9]* + +Index: suricata-2.0.5/Makefile.in +=================================================================== +--- suricata-2.0.5.orig/Makefile.in ++++ suricata-2.0.5/Makefile.in +@@ -229,7 +229,6 @@ HAVE_PCAP_CONFIG = @HAVE_PCAP_CONFIG@ + HAVE_PKG_CONFIG = @HAVE_PKG_CONFIG@ + HAVE_PYTHON_CONFIG = @HAVE_PYTHON_CONFIG@ + HAVE_WGET = @HAVE_WGET@ +-HTP_DIR = @HTP_DIR@ + HTP_LDADD = @HTP_LDADD@ + INSTALL = @INSTALL@ + INSTALL_DATA = @INSTALL_DATA@ +@@ -369,7 +368,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s + classification.config threshold.config \ + reference.config + +-SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts ++SUBDIRS = src qa rules doc contrib scripts + CLEANFILES = stamp-h[0-9]* + all: config.h + $(MAKE) $(AM_MAKEFLAGS) all-recursive diff --git a/recipes-ids/suricata/files/run-ptest b/recipes-ids/suricata/files/run-ptest new file mode 100644 index 0000000..666ba9c --- /dev/null +++ b/recipes-ids/suricata/files/run-ptest @@ -0,0 +1,3 @@ +#!/bin/sh + +suricata -u diff --git a/recipes-ids/suricata/files/suricata.service b/recipes-ids/suricata/files/suricata.service new file mode 100644 index 0000000..a99a76e --- /dev/null +++ b/recipes-ids/suricata/files/suricata.service @@ -0,0 +1,20 @@ +[Unit] +Description=Suricata IDS/IDP daemon +After=network.target +Requires=network.target +Documentation=man:suricata(8) man:suricatasc(8) +Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki + +[Service] +Type=simple +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW +RestrictAddressFamilies= +ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0 +ExecReload=/bin/kill -HUP $MAINPID +PrivateTmp=yes +ProtectHome=yes +ProtectSystem=yes + +[Install] +WantedBy=multi-user.target + diff --git a/recipes-ids/suricata/files/suricata.yaml b/recipes-ids/suricata/files/suricata.yaml new file mode 100644 index 0000000..8d06a27 --- /dev/null +++ b/recipes-ids/suricata/files/suricata.yaml @@ -0,0 +1,1326 @@ +%YAML 1.1 +--- + +# Suricata configuration file. In addition to the comments describing all +# options in this file, full documentation can be found at: +# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml + + +# Number of packets allowed to be processed simultaneously. Default is a +# conservative 1024. A higher number will make sure CPU's/CPU cores will be +# more easily kept busy, but may negatively impact caching. +# +# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules +# apply. In that case try something like 60000 or more. This is because the CUDA +# pattern matcher buffers and scans as many packets as possible in parallel. +#max-pending-packets: 1024 + +# Runmode the engine should use. Please check --list-runmodes to get the available +# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned +# load balancing). +#runmode: autofp + +# Specifies the kind of flow load balancer used by the flow pinned autofp mode. +# +# Supported schedulers are: +# +# round-robin - Flows assigned to threads in a round robin fashion. +# active-packets - Flows assigned to threads that have the lowest number of +# unprocessed packets (default). +# hash - Flow alloted usihng the address hash. More of a random +# technique. Was the default in Suricata 1.2.1 and older. +# +#autofp-scheduler: active-packets + +# If suricata box is a router for the sniffed networks, set it to 'router'. If +# it is a pure sniffing setup, set it to 'sniffer-only'. +# If set to auto, the variable is internally switch to 'router' in IPS mode +# and 'sniffer-only' in IDS mode. +# This feature is currently only used by the reject* keywords. +host-mode: auto + +# Run suricata as user and group. +#run-as: +# user: suri +# group: suri + +# Default pid file. +# Will use this file if no --pidfile in command options. +#pid-file: /var/run/suricata.pid + +# Daemon working directory +# Suricata will change directory to this one if provided +# Default: "/" +#daemon-directory: "/" + +# Preallocated size for packet. Default is 1514 which is the classical +# size for pcap on ethernet. You should adjust this value to the highest +# packet size (MTU + hardware header) on your system. +#default-packet-size: 1514 + +# The default logging directory. Any log or output file will be +# placed here if its not specified with a full path name. This can be +# overridden with the -l command line parameter. +default-log-dir: /var/log/suricata/ + +# Unix command socket can be used to pass commands to suricata. +# An external tool can then connect to get information from suricata +# or trigger some modifications of the engine. Set enabled to yes +# to activate the feature. You can use the filename variable to set +# the file name of the socket. +unix-command: + enabled: no + #filename: custom.socket + +# Configure the type of alert (and other) logging you would like. +outputs: + + # a line based alerts log similar to Snort's fast.log + - fast: + enabled: yes + filename: fast.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + type: file #file|syslog|unix_dgram|unix_stream + filename: eve.json + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + types: + - alert + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns + - tls: + extended: yes # enable this for extended logging information + - files: + force-magic: no # force logging magic on all logged files + force-md5: no # force logging of md5 checksums + #- drop + - ssh + + # alert output for use with Barnyard2 + - unified2-alert: + enabled: yes + filename: unified2.alert + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + #limit: 32mb + + # Sensor ID field of unified2 alerts. + #sensor-id: 0 + + # HTTP X-Forwarded-For support by adding the unified2 extra header that + # will contain the actual client IP address or by overwriting the source + # IP address (helpful when inspecting traffic that is being reversed + # proxied). + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". Note + # that in the "overwrite" mode, if the reported IP address in the HTTP + # X-Forwarded-For header is of a different version of the packet + # received, it will fall-back to "extra-data" mode. + mode: extra-data + # Header name were the actual IP address will be reported, if more than + # one IP address is present, the last IP address will be the one taken + # into consideration. + header: X-Forwarded-For + + # a line based log of HTTP requests (no alerts) + - http-log: + enabled: yes + filename: http.log + append: yes + #extended: yes # enable this for extended logging information + #custom: yes # enabled the custom logging format (defined by customformat) + #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # a line based log of TLS handshake parameters (no alerts) + - tls-log: + enabled: no # Log TLS connections. + filename: tls.log # File to store TLS logs. + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + #extended: yes # Log extended information like fingerprint + certs-log-dir: certs # directory to store the certificates files + + # a line based log of DNS requests and/or replies (no alerts) + - dns-log: + enabled: no + filename: dns.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # a line based log to used with pcap file study. + # this module is dedicated to offline pcap parsing (empty output + # if used with another kind of input). It can interoperate with + # pcap parser like wireshark via the suriwire plugin. + - pcap-info: + enabled: no + + # Packet log... log packets in pcap format. 2 modes of operation: "normal" + # and "sguil". + # + # In normal mode a pcap file "filename" is created in the default-log-dir, + # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. + # In this base dir the pcaps are created in th directory structure Sguil expects: + # + # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp> + # + # By default all packets are logged except: + # - TCP streams beyond stream.reassembly.depth + # - encrypted streams after the key exchange + # + - pcap-log: + enabled: no + filename: log.pcap + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + limit: 1000mb + + # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" + max-files: 2000 + + mode: normal # normal or sguil. + #sguil-base-dir: /nsm_data/ + #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec + use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets + + # a full alerts log containing much information for signature writers + # or for investigating suspected false positives. + - alert-debug: + enabled: no + filename: alert-debug.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # alert output to prelude (http://www.prelude-technologies.com/) only + # available if Suricata has been compiled with --enable-prelude + - alert-prelude: + enabled: no + profile: suricata + log-packet-content: no + log-packet-header: yes + + # Stats.log contains data from various counters of the suricata engine. + # The interval field (in seconds) tells after how long output will be written + # on the log file. + - stats: + enabled: yes + filename: stats.log + interval: 8 + + # a line based alerts log similar to fast.log into syslog + - syslog: + enabled: no + # reported identity to syslog. If ommited the program name (usually + # suricata) will be used. + #identity: "suricata" + facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + + # a line based information for dropped packets in IPS mode + - drop: + enabled: no + filename: drop.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # output module to store extracted files to disk + # + # The files are stored to the log-dir in a format "file.<id>" where <id> is + # an incrementing number starting at 1. For each file "file.<id>" a meta + # file "file.<id>.meta" is created. + # + # File extraction depends on a lot of things to be fully done: + # - stream reassembly depth. For optimal results, set this to 0 (unlimited) + # - http request / response body sizes. Again set to 0 for optimal results. + # - rules that contain the "filestore" keyword. + - file-store: + enabled: no # set to yes to enable + log-dir: files # directory to store the files + force-magic: no # force logging magic on all stored files + force-md5: no # force logging of md5 checksums + #waldo: file.waldo # waldo file to store the file_id across runs + + # output module to log files tracked in a easily parsable json format + - file-log: + enabled: no + filename: files-json.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + force-magic: no # force logging magic on all logged files + force-md5: no # force logging of md5 checksums + +# Magic file. The extension .mgc is added to the value here. +#magic-file: /usr/share/file/magic +magic-file: /usr/share/misc/magic.mgc + +# When running in NFQ inline mode, it is possible to use a simulated +# non-terminal NFQUEUE verdict. +# This permit to do send all needed packet to suricata via this a rule: +# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE +# And below, you can have your standard filtering ruleset. To activate +# this mode, you need to set mode to 'repeat' +# If you want packet to be sent to another queue after an ACCEPT decision +# set mode to 'route' and set next-queue value. +# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance +# by processing several packets before sending a verdict (worker runmode only). +# On linux >= 3.6, you can set the fail-open option to yes to have the kernel +# accept the packet if suricata is not able to keep pace. +nfq: +# mode: accept +# repeat-mark: 1 +# repeat-mask: 1 +# route-queue: 2 +# batchcount: 20 +# fail-open: yes + +#nflog support +nflog: + # netlink multicast group + # (the same as the iptables --nflog-group param) + # Group 0 is used by the kernel, so you can't use it + - group: 2 + # netlink buffer size + buffer-size: 18432 + # put default value here + - group: default + # set number of packet to queue inside kernel + qthreshold: 1 + # set the delay before flushing packet in the queue inside kernel + qtimeout: 100 + # netlink max buffer size + max-size: 20000 + +# af-packet support +# Set threads to > 1 to use PACKET_FANOUT support +af-packet: + - interface: eth0 + # Number of receive threads (>1 will enable experimental flow pinned + # runmode) + threads: 1 + # Default clusterid. AF_PACKET will load balance packets based on flow. + # All threads/processes that will participate need to have the same + # clusterid. + cluster-id: 99 + # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. + # This is only supported for Linux kernel > 3.1 + # possible value are: + # * cluster_round_robin: round robin load balancing + # * cluster_flow: all packets of a given flow are send to the same socket + # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket + cluster-type: cluster_flow + # In some fragmentation case, the hash can not be computed. If "defrag" is set + # to yes, the kernel will do the needed defragmentation before sending the packets. + defrag: yes + # To use the ring feature of AF_PACKET, set 'use-mmap' to yes + use-mmap: yes + # Ring size will be computed with respect to max_pending_packets and number + # of threads. You can set manually the ring size in number of packets by setting + # the following value. If you are using flow cluster-type and have really network + # intensive single-flow you could want to set the ring-size independantly of the number + # of threads: + #ring-size: 2048 + # On busy system, this could help to set it to yes to recover from a packet drop + # phase. This will result in some packets (at max a ring flush) being non treated. + #use-emergency-flush: yes + # recv buffer size, increase value could improve performance + # buffer-size: 32768 + # Set to yes to disable promiscuous mode + # disable-promisc: no + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - kernel: use indication sent by kernel for each packet (default) + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: kernel + # BPF filter to apply to this interface. The pcap filter syntax apply here. + #bpf-filter: port 80 or udp + # You can use the following variables to activate AF_PACKET tap od IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + #copy-mode: ips + #copy-iface: eth1 + - interface: eth1 + threads: 1 + cluster-id: 98 + cluster-type: cluster_flow + defrag: yes + # buffer-size: 32768 + # disable-promisc: no + # Put default values here + - interface: default + #threads: 2 + #use-mmap: yes + +legacy: + uricontent: enabled + +# You can specify a threshold config file by setting "threshold-file" +# to the path of the threshold config file: +# threshold-file: /etc/suricata/threshold.config + +# The detection engine builds internal groups of signatures. The engine +# allow us to specify the profile to use for them, to manage memory on an +# efficient way keeping a good performance. For the profile keyword you +# can use the words "low", "medium", "high" or "custom". If you use custom +# make sure to define the values at "- custom-values" as your convenience. +# Usually you would prefer medium/high/low. +# +# "sgh mpm-context", indicates how the staging should allot mpm contexts for +# the signature groups. "single" indicates the use of a single context for +# all the signature group heads. "full" indicates a mpm-context for each +# group head. "auto" lets the engine decide the distribution of contexts +# based on the information the engine gathers on the patterns from each +# group head. +# +# The option inspection-recursion-limit is used to limit the recursive calls +# in the content inspection code. For certain payload-sig combinations, we +# might end up taking too much time in the content inspection code. +# If the argument specified is 0, the engine uses an internally defined +# default limit. On not specifying a value, we use no limits on the recursion. +detect-engine: + - profile: medium + - custom-values: + toclient-src-groups: 2 + toclient-dst-groups: 2 + toclient-sp-groups: 2 + toclient-dp-groups: 3 + toserver-src-groups: 2 + toserver-dst-groups: 4 + toserver-sp-groups: 2 + toserver-dp-groups: 25 + - sgh-mpm-context: auto + - inspection-recursion-limit: 3000 + # When rule-reload is enabled, sending a USR2 signal to the Suricata process + # will trigger a live rule reload. Experimental feature, use with care. + #- rule-reload: true + # If set to yes, the loading of signatures will be made after the capture + # is started. This will limit the downtime in IPS mode. + #- delayed-detect: yes + +# Suricata is multi-threaded. Here the threading can be influenced. +threading: + # On some cpu's/architectures it is beneficial to tie individual threads + # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, + # and each extra CPU/core has one "detect" thread. + # + # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. + # + set-cpu-affinity: no + # Tune cpu affinity of suricata threads. Each family of threads can be bound + # on specific CPUs. + cpu-affinity: + - management-cpu-set: + cpu: [ 0 ] # include only these cpus in affinity settings + - receive-cpu-set: + cpu: [ 0 ] # include only these cpus in affinity settings + - decode-cpu-set: + cpu: [ 0, 1 ] + mode: "balanced" + - stream-cpu-set: + cpu: [ "0-1" ] + - detect-cpu-set: + cpu: [ "all" ] + mode: "exclusive" # run detect threads in these cpus + # Use explicitely 3 threads and don't compute number by using + # detect-thread-ratio variable: + # threads: 3 + prio: + low: [ 0 ] + medium: [ "1-2" ] + high: [ 3 ] + default: "medium" + - verdict-cpu-set: + cpu: [ 0 ] + prio: + default: "high" + - reject-cpu-set: + cpu: [ 0 ] + prio: + default: "low" + - output-cpu-set: + cpu: [ "all" ] + prio: + default: "medium" + # + # By default Suricata creates one "detect" thread per available CPU/CPU core. + # This setting allows controlling this behaviour. A ratio setting of 2 will + # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this + # will result in 4 detect threads. If values below 1 are used, less threads + # are created. So on a dual core CPU a setting of 0.5 results in 1 detect + # thread being created. Regardless of the setting at a minimum 1 detect + # thread will always be created. + # + detect-thread-ratio: 1.5 + +# Cuda configuration. +cuda: + # The "mpm" profile. On not specifying any of these parameters, the engine's + # internal default values are used, which are same as the ones specified in + # in the default conf file. + mpm: + # The minimum length required to buffer data to the gpu. + # Anything below this is MPM'ed on the CPU. + # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. + # A value of 0 indicates there's no limit. + data-buffer-size-min-limit: 0 + # The maximum length for data that we would buffer to the gpu. + # Anything over this is MPM'ed on the CPU. + # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. + data-buffer-size-max-limit: 1500 + # The ring buffer size used by the CudaBuffer API to buffer data. + cudabuffer-buffer-size: 500mb + # The max chunk size that can be sent to the gpu in a single go. + gpu-transfer-size: 50mb + # The timeout limit for batching of packets in microseconds. + batching-timeout: 2000 + # The device to use for the mpm. Currently we don't support load balancing + # on multiple gpus. In case you have multiple devices on your system, you + # can specify the device to use, using this conf. By default we hold 0, to + # specify the first device cuda sees. To find out device-id associated with + # the card(s) on the system run "suricata --list-cuda-cards". + device-id: 0 + # No of Cuda streams used for asynchronous processing. All values > 0 are valid. + # For this option you need a device with Compute Capability > 1.0. + cuda-streams: 2 + +# Select the multi pattern algorithm you want to run for scan/search the +# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, +# ac and ac-gfbs. +# +# The mpm you choose also decides the distribution of mpm contexts for +# signature groups, specified by the conf - "detect-engine.sgh-mpm-context". +# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" +# to be set to "single", because of ac's memory requirements, unless the +# ruleset is small enough to fit in one's memory, in which case one can +# use "full" with "ac". Rest of the mpms can be run in "full" mode. +# +# There is also a CUDA pattern matcher (only available if Suricata was +# compiled with --enable-cuda: b2g_cuda. Make sure to update your +# max-pending-packets setting above as well if you use b2g_cuda. + +mpm-algo: ac + +# The memory settings for hash size of these algorithms can vary from lowest +# (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max +# (65536). The bloomfilter sizes of these algorithms can vary from low (512) - +# medium (1024) - high (2048). +# +# For B2g/B3g algorithms, there is a support for two different scan/search +# algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and +# search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms +# are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & +# B3gSearchBNDMq. +# +# For B2g the different scan/search algorithms and, hash and bloom +# filter size settings. For B3g the different scan/search algorithms and, hash +# and bloom filter size settings. For wumanber the hash and bloom filter size +# settings. + +pattern-matcher: + - b2gc: + search-algo: B2gSearchBNDMq + hash-size: low + bf-size: medium + - b2gm: + search-algo: B2gSearchBNDMq + hash-size: low + bf-size: medium + - b2g: + search-algo: B2gSearchBNDMq + hash-size: low + bf-size: medium + - b3g: + search-algo: B3gSearchBNDMq + hash-size: low + bf-size: medium + - wumanber: + hash-size: low + bf-size: medium + +# Defrag settings: + +defrag: + memcap: 32mb + hash-size: 65536 + trackers: 65535 # number of defragmented flows to follow + max-frags: 65535 # number of fragments to keep (higher than trackers) + prealloc: yes + timeout: 60 + +# Enable defrag per host settings +# host-config: +# +# - dmz: +# timeout: 30 +# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] +# +# - lan: +# timeout: 45 +# address: +# - 192.168.0.0/24 +# - 192.168.10.0/24 +# - 172.16.14.0/24 + +# Flow settings: +# By default, the reserved memory (memcap) for flows is 32MB. This is the limit +# for flow allocation inside the engine. You can change this value to allow +# more memory usage for flows. +# The hash-size determine the size of the hash used to identify flows inside +# the engine, and by default the value is 65536. +# At the startup, the engine can preallocate a number of flows, to get a better +# performance. The number of flows preallocated is 10000 by default. +# emergency-recovery is the percentage of flows that the engine need to +# prune before unsetting the emergency state. The emergency state is activated +# when the memcap limit is reached, allowing to create new flows, but +# prunning them with the emergency timeouts (they are defined below). +# If the memcap is reached, the engine will try to prune flows +# with the default timeouts. If it doens't find a flow to prune, it will set +# the emergency bit and it will try again with more agressive timeouts. +# If that doesn't work, then it will try to kill the last time seen flows +# not in use. +# The memcap can be specified in kb, mb, gb. Just a number indicates it's +# in bytes. + +flow: + memcap: 64mb + hash-size: 65536 + prealloc: 10000 + emergency-recovery: 30 + +# This option controls the use of vlan ids in the flow (and defrag) +# hashing. Normally this should be enabled, but in some (broken) +# setups where both sides of a flow are not tagged with the same vlan +# tag, we can ignore the vlan id's in the flow hashing. +vlan: + use-for-tracking: true + +# Specific timeouts for flows. Here you can specify the timeouts that the +# active flows will wait to transit from the current state to another, on each +# protocol. The value of "new" determine the seconds to wait after a hanshake or +# stream startup before the engine free the data of that flow it doesn't +# change the state to established (usually if we don't receive more packets +# of that flow). The value of "established" is the amount of +# seconds that the engine will wait to free the flow if it spend that amount +# without receiving new packets or closing the connection. "closed" is the +# amount of time to wait after a flow is closed (usually zero). +# +# There's an emergency mode that will become active under attack circumstances, +# making the engine to check flow status faster. This configuration variables +# use the prefix "emergency-" and work similar as the normal ones. +# Some timeouts doesn't apply to all the protocols, like "closed", for udp and +# icmp. + +flow-timeouts: + + default: + new: 30 + established: 300 + closed: 0 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 + tcp: + new: 60 + established: 3600 + closed: 120 + emergency-new: 10 + emergency-established: 300 + emergency-closed: 20 + udp: + new: 30 + established: 300 + emergency-new: 10 + emergency-established: 100 + icmp: + new: 30 + established: 300 + emergency-new: 10 + emergency-established: 100 + +# Stream engine settings. Here the TCP stream tracking and reassembly +# engine is configured. +# +# stream: +# memcap: 32mb # Can be specified in kb, mb, gb. Just a +# # number indicates it's in bytes. +# checksum-validation: yes # To validate the checksum of received +# # packet. If csum validation is specified as +# # "yes", then packet with invalid csum will not +# # be processed by the engine stream/app layer. +# # Warning: locally generated trafic can be +# # generated without checksum due to hardware offload +# # of checksum. You can control the handling of checksum +# # on a per-interface basis via the 'checksum-checks' +# # option +# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread +# midstream: false # don't allow midstream session pickups +# async-oneside: false # don't enable async stream handling +# inline: no # stream inline mode +# max-synack-queued: 5 # Max different SYN/ACKs to queue +# +# reassembly: +# memcap: 64mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# depth: 1mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# # The max acceptable size is 4024 bytes. +# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# # The max acceptable size is 4024 bytes. +# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. +# # This lower the risk of some evasion technics but could lead +# # detection change between runs. It is set to 'yes' by default. +# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is +# # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size +# # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value +# # of randomize-chunk-range is 10. +# +# raw: yes # 'Raw' reassembly enabled or disabled. +# # raw is for content inspection by detection +# # engine. +# +# chunk-prealloc: 250 # Number of preallocated stream chunks. These +# # are used during stream inspection (raw). +# segments: # Settings for reassembly segment pool. +# - size: 4 # Size of the (data)segment for a pool +# prealloc: 256 # Number of segments to prealloc and keep +# # in the pool. +# +stream: + memcap: 32mb + checksum-validation: yes # reject wrong csums + inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + reassembly: + memcap: 128mb + depth: 1mb # reassemble 1mb into a stream + toserver-chunk-size: 2560 + toclient-chunk-size: 2560 + randomize-chunk-size: yes + #randomize-chunk-range: 10 + #raw: yes + #chunk-prealloc: 250 + #segments: + # - size: 4 + # prealloc: 256 + # - size: 16 + # prealloc: 512 + # - size: 112 + # prealloc: 512 + # - size: 248 + # prealloc: 512 + # - size: 512 + # prealloc: 512 + # - size: 768 + # prealloc: 1024 + # - size: 1448 + # prealloc: 1024 + # - size: 65535 + # prealloc: 128 + +# Host table: +# +# Host table is used by tagging and per host thresholding subsystems. +# +host: + hash-size: 4096 + prealloc: 1000 + memcap: 16777216 + +# Logging configuration. This is not about logging IDS alerts, but +# IDS output about what its doing, errors, etc. +logging: + + # The default log level, can be overridden in an output section. + # Note that debug level logging will only be emitted if Suricata was + # compiled with the --enable-debug configure option. + # + # This value is overriden by the SC_LOG_LEVEL env var. + default-log-level: notice + + # The default output format. Optional parameter, should default to + # something reasonable if not provided. Can be overriden in an + # output section. You can leave this out to get the default. + # + # This value is overriden by the SC_LOG_FORMAT env var. + #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " + + # A regex to filter output. Can be overridden in an output section. + # Defaults to empty (no filter). + # + # This value is overriden by the SC_LOG_OP_FILTER env var. + default-output-filter: + + # Define your logging outputs. If none are defined, or they are all + # disabled you will get the default - console output. + outputs: + - console: + enabled: yes + - file: + enabled: no + filename: /var/log/suricata.log + - syslog: + enabled: yes + facility: local5 + format: "[%i] <%d> -- " + +# Tilera mpipe configuration. for use on Tilera TILE-Gx. +mpipe: + + # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". + load-balance: dynamic + + # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 + iqueue-packets: 2048 + + # List of interfaces we will listen on. + inputs: + - interface: xgbe2 + - interface: xgbe3 + - interface: xgbe4 + + + # Relative weight of memory for packets of each mPipe buffer size. + stack: + size128: 0 + size256: 9 + size512: 0 + size1024: 0 + size1664: 7 + size4096: 0 + size10386: 0 + size16384: 0 + +# PF_RING configuration. for use with native PF_RING support +# for more info see http://www.ntop.org/PF_RING.html +pfring: + - interface: eth0 + # Number of receive threads (>1 will enable experimental flow pinned + # runmode) + threads: 1 + + # Default clusterid. PF_RING will load balance packets based on flow. + # All threads/processes that will participate need to have the same + # clusterid. + cluster-id: 99 + + # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. + # This is only supported in versions of PF_RING > 4.1.1. + cluster-type: cluster_flow + # bpf filter for this interface + #bpf-filter: tcp + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - rxonly: only compute checksum for packets received by network card. + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # Second interface + #- interface: eth1 + # threads: 3 + # cluster-id: 93 + # cluster-type: cluster_flow + # Put default values here + - interface: default + #threads: 2 + +pcap: + - interface: eth0 + # On Linux, pcap will try to use mmaped capture and will use buffer-size + # as total of memory used by the ring. So set this to something bigger + # than 1% of your bandwidth. + #buffer-size: 16777216 + #bpf-filter: "tcp and port 25" + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # With some accelerator cards using a modified libpcap (like myricom), you + # may want to have the same number of capture threads as the number of capture + # rings. In this case, set up the threads variable to N to start N threads + # listening on the same interface. + #threads: 16 + # set to no to disable promiscuous mode: + #promisc: no + # set snaplen, if not set it defaults to MTU if MTU can be known + # via ioctl call and to full capture if not. + #snaplen: 1518 + # Put default values here + - interface: default + #checksum-checks: auto + +pcap-file: + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have checksum tested + checksum-checks: auto + +# For FreeBSD ipfw(8) divert(4) support. +# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" +# in /etc/loader.conf or kldload'ing the appropriate kernel modules. +# Additionally, you need to have an ipfw rule for the engine to see +# the packets from ipfw. For Example: +# +# ipfw add 100 divert 8000 ip from any to any +# +# The 8000 above should be the same number you passed on the command +# line, i.e. -d 8000 +# +ipfw: + + # Reinject packets at the specified ipfw rule number. This config + # option is the ipfw rule number AT WHICH rule processing continues + # in the ipfw processing system after the engine has finished + # inspecting the packet for acceptance. If no rule number is specified, + # accepted packets are reinjected at the divert rule which they entered + # and IPFW rule processing continues. No check is done to verify + # this will rule makes sense so care must be taken to avoid loops in ipfw. + # + ## The following example tells the engine to reinject packets + # back into the ipfw firewall AT rule number 5500: + # + # ipfw-reinjection-rule-number: 5500 + +# Set the default rule path here to search for the files. +# if not set, it will look at the current working dir +default-rule-path: /etc/suricata/rules +rule-files: + - botcc.rules + - ciarmy.rules + - compromised.rules + - drop.rules + - dshield.rules + - emerging-activex.rules + - emerging-attack_response.rules + - emerging-chat.rules + - emerging-current_events.rules + - emerging-dns.rules + - emerging-dos.rules + - emerging-exploit.rules + - emerging-ftp.rules + - emerging-games.rules + - emerging-icmp_info.rules +# - emerging-icmp.rules + - emerging-imap.rules + - emerging-inappropriate.rules + - emerging-malware.rules + - emerging-misc.rules + - emerging-mobile_malware.rules + - emerging-netbios.rules + - emerging-p2p.rules + - emerging-policy.rules + - emerging-pop3.rules + - emerging-rpc.rules + - emerging-scada.rules + - emerging-scan.rules + - emerging-shellcode.rules + - emerging-smtp.rules + - emerging-snmp.rules + - emerging-sql.rules + - emerging-telnet.rules + - emerging-tftp.rules + - emerging-trojan.rules + - emerging-user_agents.rules + - emerging-voip.rules + - emerging-web_client.rules + - emerging-web_server.rules + - emerging-web_specific_apps.rules + - emerging-worm.rules + - tor.rules + - decoder-events.rules # available in suricata sources under rules dir + - stream-events.rules # available in suricata sources under rules dir + - http-events.rules # available in suricata sources under rules dir + - smtp-events.rules # available in suricata sources under rules dir + - dns-events.rules # available in suricata sources under rules dir + - tls-events.rules # available in suricata sources under rules dir + +classification-file: /etc/suricata/classification.config +reference-config-file: /etc/suricata/reference.config + +# Holds variables that would be used by the engine. +vars: + + # Holds the address group vars that would be passed in a Signature. + # These would be retrieved during the Signature address parsing stage. + address-groups: + + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + + EXTERNAL_NET: "!$HOME_NET" + + HTTP_SERVERS: "$HOME_NET" + + SMTP_SERVERS: "$HOME_NET" + + SQL_SERVERS: "$HOME_NET" + + DNS_SERVERS: "$HOME_NET" + + TELNET_SERVERS: "$HOME_NET" + + AIM_SERVERS: "$EXTERNAL_NET" + + DNP3_SERVER: "$HOME_NET" + + DNP3_CLIENT: "$HOME_NET" + + MODBUS_CLIENT: "$HOME_NET" + + MODBUS_SERVER: "$HOME_NET" + + ENIP_CLIENT: "$HOME_NET" + + ENIP_SERVER: "$HOME_NET" + + # Holds the port group vars that would be passed in a Signature. + # These would be retrieved during the Signature port parsing stage. + port-groups: + + HTTP_PORTS: "80" + + SHELLCODE_PORTS: "!80" + + ORACLE_PORTS: 1521 + + SSH_PORTS: 22 + + DNP3_PORTS: 20000 + +# Set the order of alerts bassed on actions +# The default order is pass, drop, reject, alert +action-order: + - pass + - drop + - reject + - alert + +# IP Reputation +#reputation-categories-file: /etc/suricata/iprep/categories.txt +#default-reputation-path: /etc/suricata/iprep +#reputation-files: +# - reputation.list + +# Host specific policies for defragmentation and TCP stream +# reassembly. The host OS lookup is done using a radix tree, just +# like a routing table so the most specific entry matches. +host-os-policy: + # Make the default policy windows. + windows: [0.0.0.0/0] + bsd: [] + bsd-right: [] + old-linux: [] + linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] + old-solaris: [] + solaris: ["::1"] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + + +# Limit for the maximum number of asn1 frames to decode (default 256) +asn1-max-frames: 256 + +# When run with the option --engine-analysis, the engine will read each of +# the parameters below, and print reports for each of the enabled sections +# and exit. The reports are printed to a file in the default log dir +# given by the parameter "default-log-dir", with engine reporting +# subsection below printing reports in its own report file. +engine-analysis: + # enables printing reports for fast-pattern for every rule. + rules-fast-pattern: yes + # enables printing reports for each rule + rules: yes + +#recursion and match limits for PCRE where supported +pcre: + match-limit: 3500 + match-limit-recursion: 1500 + +# Holds details on the app-layer. The protocols section details each protocol. +# Under each protocol, the default value for detection-enabled and " +# parsed-enabled is yes, unless specified otherwise. +# Each protocol covers enabling/disabling parsers for all ipprotos +# the app-layer protocol runs on. For example "dcerpc" refers to the tcp +# version of the protocol as well as the udp version of the protocol. +# The option "enabled" takes 3 values - "yes", "no", "detection-only". +# "yes" enables both detection and the parser, "no" disables both, and +# "detection-only" enables detection only(parser disabled). +app-layer: + protocols: + tls: + enabled: yes + detection-ports: + dp: 443 + + #no-reassemble: yes + dcerpc: + enabled: yes + ftp: + enabled: yes + ssh: + enabled: yes + smtp: + enabled: yes + imap: + enabled: detection-only + msn: + enabled: detection-only + smb: + enabled: yes + detection-ports: + dp: 139 + # smb2 detection is disabled internally inside the engine. + #smb2: + # enabled: yes + dns: + # memcaps. Globally and per flow/state. + #global-memcap: 16mb + #state-memcap: 512kb + + # How many unreplied DNS requests are considered a flood. + # If the limit is reached, app-layer-event:dns.flooded; will match. + #request-flood: 500 + + tcp: + enabled: yes + detection-ports: + dp: 53 + udp: + enabled: yes + detection-ports: + dp: 53 + http: + enabled: yes + # memcap: 64mb + + ########################################################################### + # Configure libhtp. + # + # + # default-config: Used when no server-config matches + # personality: List of personalities used by default + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # + # server-config: List of server configurations to use if address matches + # address: List of ip addresses or networks for this block + # personalitiy: List of personalities used by this block + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # + # uri-include-all: Include all parts of the URI. By default the + # 'scheme', username/password, hostname and port + # are excluded. Setting this option to true adds + # all of them to the normalized uri as inspected + # by http_uri, urilen, pcre with /U and the other + # keywords that inspect the normalized uri. + # Note that this does not affect http_raw_uri. + # Also, note that including all was the default in + # 1.4 and 2.0beta1. + # + # meta-field-limit: Hard size limit for request and response size + # limits. Applies to request line and headers, + # response line and headers. Does not apply to + # request or response bodies. Default is 18k. + # If this limit is reached an event is raised. + # + # Currently Available Personalities: + # Minimal + # Generic + # IDS (default) + # IIS_4_0 + # IIS_5_0 + # IIS_5_1 + # IIS_6_0 + # IIS_7_0 + # IIS_7_5 + # Apache_2 + ########################################################################### + libhtp: + + default-config: + personality: IDS + + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 3072 + response-body-limit: 3072 + + # inspection limits + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 32kb + response-body-inspect-window: 4kb + # Take a random value for inspection sizes around the specified value. + # This lower the risk of some evasion technics but could lead + # detection change between runs. It is set to 'yes' by default. + #randomize-inspection-sizes: yes + # If randomize-inspection-sizes is active, the value of various + # inspection size will be choosen in the [1 - range%, 1 + range%] + # range + # Default value of randomize-inspection-range is 10. + #randomize-inspection-range: 10 + + # decoding + double-decode-path: no + double-decode-query: no + + server-config: + + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + +# Profiling settings. Only effective if Suricata has been built with the +# the --enable-profiling configure flag. +# +profiling: + # Run profiling for every xth packet. The default is 1, which means we + # profile every packet. If set to 1000, one packet is profiled for every + # 1000 received. + #sample-rate: 1000 + + # rule profiling + rules: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: rule_perf.log + append: yes + + # Sort options: ticks, avgticks, checks, matches, maxticks + sort: avgticks + + # Limit the number of items printed at exit. + limit: 100 + + # per keyword profiling + keywords: + enabled: yes + filename: keyword_perf.log + append: yes + + # packet profiling + packets: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: packet_stats.log + append: yes + + # per packet csv output + csv: + + # Output can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: no + filename: packet_stats.csv + + # profiling of locking. Only available when Suricata was built with + # --enable-profiling-locks. + locks: + enabled: no + filename: lock_stats.log + append: yes + +# Suricata core dump configuration. Limits the size of the core dump file to +# approximately max-dump. The actual core dump size will be a multiple of the +# page size. Core dumps that would be larger than max-dump are truncated. On +# Linux, the actual core dump size may be a few pages larger than max-dump. +# Setting max-dump to 0 disables core dumping. +# Setting max-dump to 'unlimited' will give the full core dump file. +# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size +# to be 'unlimited'. + +coredump: + max-dump: unlimited + +napatech: + # The Host Buffer Allowance for all streams + # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) + hba: -1 + + # use_all_streams set to "yes" will query the Napatech service for all configured + # streams and listen on all of them. When set to "no" the streams config array + # will be used. + use-all-streams: yes + + # The streams to listen on + streams: [1, 2, 3] + +# Includes. Files included here will be handled as if they were +# inlined in this configuration file. +#include: include1.yaml +#include: include2.yaml diff --git a/recipes-ids/suricata/files/volatiles.03_suricata b/recipes-ids/suricata/files/volatiles.03_suricata new file mode 100644 index 0000000..4627bd3 --- /dev/null +++ b/recipes-ids/suricata/files/volatiles.03_suricata @@ -0,0 +1,2 @@ +# <type> <owner> <group> <mode> <path> <linksource> +d root root 0755 /var/log/suricata none diff --git a/recipes-ids/suricata/libhtp_0.5.29.bb b/recipes-ids/suricata/libhtp_0.5.29.bb new file mode 100644 index 0000000..8305f70 --- /dev/null +++ b/recipes-ids/suricata/libhtp_0.5.29.bb @@ -0,0 +1,15 @@ +SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." + +require suricata.inc + +LIC_FILES_CHKSUM = "file://../LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" + +DEPENDS = "zlib" + +inherit autotools pkgconfig + +CFLAGS += "-D_DEFAULT_SOURCE" + +S = "${WORKDIR}/suricata-${VER}/${BPN}" + +RDEPENDS_${PN} += "zlib" diff --git a/recipes-ids/suricata/suricata.inc b/recipes-ids/suricata/suricata.inc new file mode 100644 index 0000000..7be403c --- /dev/null +++ b/recipes-ids/suricata/suricata.inc @@ -0,0 +1,9 @@ +HOMEPAGE = "http://suricata-ids.org/" +SECTION = "security Monitor/Admin" +LICENSE = "GPLv2" + +VER = "4.1.3" +SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" + +SRC_URI[md5sum] = "35c4a8e6be3910831649a073950195df" +SRC_URI[sha256sum] = "6cda6c80b753ce36483c6be535358b971f3890b9aa27a58c2d2f7e89dd6c6aa0" diff --git a/recipes-ids/suricata/suricata_4.1.3.bb b/recipes-ids/suricata/suricata_4.1.3.bb new file mode 100644 index 0000000..d6f5937 --- /dev/null +++ b/recipes-ids/suricata/suricata_4.1.3.bb @@ -0,0 +1,97 @@ +SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" + +require suricata.inc + +LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" + +SRC_URI += "file://emerging.rules.tar.gz;name=rules" + +SRC_URI += " \ + file://volatiles.03_suricata \ + file://suricata.yaml \ + file://suricata.service \ + file://run-ptest \ + " + +SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33" +SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798" + +inherit autotools-brokensep pkgconfig python3-dir systemd ptest + +CFLAGS += "-D_DEFAULT_SOURCE" + +CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \ + ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no " + +EXTRA_OECONF += " --disable-debug \ + --enable-non-bundled-htp \ + --disable-gccmarch-native \ + --disable-suricata-update \ + " + +PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr" +PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" + +PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp," +PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," +PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," +PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap ," +PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " +PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," +PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," +PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," + +PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" +PACKAGECONFIG[file] = ",,file, file" +PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," +PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," +PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3" +PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," + +export logdir = "${localstatedir}/log" + +do_install_append () { + + install -d ${D}${sysconfdir}/suricata + + oe_runmake install-conf DESTDIR=${D} + + # mimic move of downloaded rules to e_sysconfrulesdir + cp -rf ${WORKDIR}/rules ${D}${sysconfdir}/suricata + + oe_runmake install-rules DESTDIR=${D} + + install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles + install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/volatiles.03_suricata + + install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata + + install -d ${D}${systemd_unitdir}/system + sed -e s:/etc:${sysconfdir}:g \ + -e s:/var/run:/run:g \ + -e s:/var:${localstatedir}:g \ + -e s:/usr/bin:${bindir}:g \ + -e s:/bin/kill:${base_bindir}/kill:g \ + -e s:/usr/lib:${libdir}:g \ + ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service + + # Remove /var/run as it is created on startup + rm -rf ${D}${localstatedir}/run + +} + +pkg_postinst_ontarget_${PN} () { +if [ -e /etc/init.d/populate-volatile.sh ] ; then + ${sysconfdir}/init.d/populate-volatile.sh update +fi +} + +SYSTEMD_PACKAGES = "${PN}" + +PACKAGES =+ "${PN}-socketcontrol" +FILES_${PN} += "${systemd_unitdir}" +FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" + +CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" + +RDEPENDS_${PN}-python = "python" diff --git a/recipes-ids/tripwire/files/add_armeb_arch.patch b/recipes-ids/tripwire/files/add_armeb_arch.patch new file mode 100644 index 0000000..2379d66 --- /dev/null +++ b/recipes-ids/tripwire/files/add_armeb_arch.patch @@ -0,0 +1,18 @@ +tripwire: Add armeb support + +Upstream-Status: Submitted to tripwire-dev + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +diff -Naurp tripwire-2.4.2.2-src_org/config.sub tripwire-2.4.2.2-src/config.sub +--- tripwire-2.4.2.2-src_org/config.sub 2015-07-20 15:03:04.161452573 +0530 ++++ tripwire-2.4.2.2-src/config.sub 2015-07-20 15:06:07.077673139 +0530 +@@ -268,7 +268,7 @@ case $basic_machine in + # FIXME: clean up the formatting here. + vax-* | tahoe-* | i*86-* | i860-* | ia64-* | m32r-* | m68k-* | m68000-* \ + | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | c[123]* | aarch64-* | aarch64be-* \ +- | arm-* | armbe-* | armle-* | armv*-* | strongarm-* | xscale-* \ ++ | arm-* | armeb-* | armbe-* | armle-* | armv*-* | strongarm-* | xscale-* \ + | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \ + | power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \ + | xmp-* | ymp-* \ diff --git a/recipes-ids/tripwire/files/run-ptest b/recipes-ids/tripwire/files/run-ptest new file mode 100644 index 0000000..aedfddc --- /dev/null +++ b/recipes-ids/tripwire/files/run-ptest @@ -0,0 +1,3 @@ +#!/bin/sh + +./twtest.pl diff --git a/recipes-ids/tripwire/files/tripwire.cron b/recipes-ids/tripwire/files/tripwire.cron new file mode 100644 index 0000000..2035508 --- /dev/null +++ b/recipes-ids/tripwire/files/tripwire.cron @@ -0,0 +1,8 @@ +#!/bin/sh +HOST_NAME=`uname -n` +if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then + echo "**** Error: Tripwire database for ${HOST_NAME} not found. ****" + echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****" +else + test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check +fi diff --git a/recipes-ids/tripwire/files/tripwire.sh b/recipes-ids/tripwire/files/tripwire.sh new file mode 100644 index 0000000..4276d10 --- /dev/null +++ b/recipes-ids/tripwire/files/tripwire.sh @@ -0,0 +1,9 @@ +#!/bin/sh +HOST_NAME=`uname -n` +if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then + echo "**** WARNING: Tripwire database for ${HOST_NAME} not found. ****" + echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****" + # Note: /etc/tripwire/twinstall.sh creates and initializes tripwire + # database (i.e tripwire --init). + # Example: . /etc/tripwire/twinstall.sh 2> /dev/null +fi diff --git a/recipes-ids/tripwire/files/tripwire.txt b/recipes-ids/tripwire/files/tripwire.txt new file mode 100644 index 0000000..332d004 --- /dev/null +++ b/recipes-ids/tripwire/files/tripwire.txt @@ -0,0 +1,69 @@ +Post-Installation Instructions +1. Run the configuration script: /etc/tripwire/twinstall.sh to sign these files. This script walks you through the processes of setting passphrases and signing the Tripwire policy and configuration files. +Note: Once encoded and signed, the configuration file should not be renamed or moved. +2. Initialize the Tripwire database file. (/usr/sbin/tripwire--init) +3. Run the first integrity check. (/usr/sbin/tripwire--check) +4. Edit the configuration file (twcfg.txt) with a text editor, if desired. +5. Edit the policy file (twpol.txt) with a text editor, if desired. + +Note: If you plan to modify the policy file, we recommend you do so before running the configuration script. If you modify the policy file after running the configuration script, you must re-run the configuration file before initializing the database file. + +Modifying the Policy File +You can specify how Tripwire software checks your system in the Tripwire policy file (twpol.txt). A default policy file is included in the Tripwire software installation. We recommend you tailor this policy file to fit your particular system. Tailoring the policy file greatly increases Tripwire software's ability to ensure the integrity of your system. + +Locate the default policy file at /etc/tripwire/twpol.txt. An example policy file (located at /usr/doc/tripwire-VER#-REL#/policyguide.txt) is included to help you learn the policy language. Read the sample policy file and the comments in the sample policy file to learn the policy language. + +After you modify the policy file, follow the Post-Installation Instructions (run the configuration script). This script signs the modified policy file and renames it to tw.pol. This is the active policy file that runs as part of the Tripwire software. + +Selecting Passphrases +Tripwire files are signed or encrypted using site or local keys. These keys are protected by passphrases. When selecting passphrases, the following recommendations apply: +Use at least eight alphanumeric and symbolic characters for each passphrase. The maximum length of a passphrase is 1023 characters. Quotes should not be used as passphrase characters. + +Assign a unique passphrase for the site key. The site key passphrase protects the site key, which is used to sign Tripwire software configuration and policy files. Assign a unique passphrase for the local key. The local key signs Tripwire database files. The local key may sign the Tripwire report files also. + +Store the passphrases in a secure location. There is no way to remove encryption from a signed file if you forget your passphrase. If you forget the passphrases, the files are unusable. In that case you must reinitialize the baseline database. + +Initializing the Database +In Database Initialization mode, Tripwire software builds a database of filesystem objects based on the rules in the policy file. This database serves as the baseline for integrity checks. The syntax for Database Initialization mode is: +tripwire --init + +Running an Integrity Check +The Integrity Check mode compares the current file system objects with their properties recorded in the Tripwire database. Violations are printed to stdout. The report file is saved and can later be accessed by twprint. An email option enables you to send email. The syntax for Integrity Check mode is: +tripwire --check + +Printing Reports - twprint Print Report Mode +The twprint --print-report mode prints the contents of a Tripwire report. If you do not specify a report with the --twrfile or -r command-line argument, the default report file specified by the configuration file REPORTFILE variable is used. +Example: On a machine named LIGHTHOUSE, the command would be: +./twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr + +Updating the Database after an Integrity Check +Database Update mode enables you to update the Tripwire database after an integrity check if you determine that the violations discovered are valid. This update process saves time by enabling you to update the database without having to re-initialize it. It also enables selective updating, which cannot be done through re-initialization. The syntax for Database Update mode is: +tripwire --update + +Updating the Policy File +Change the way that Tripwire software scans the system by changing the rules in the policy file. You can then update the database without a complete re-initialization. This saves a significant amount of time and preserves security by keeping the policy file synchronized with the database it uses. The syntax for Policy Update mode is: +tripwire --update-policy + +Testing email functions +Test mode tests the software's email notification system, using the settings currently specified in the configuration file. The syntax for Email Test Reporting mode is: +tripwire --test + +Tripwire Components +The policy file begins as a text file containing comments, rules, directives, and variables. These dictate the way Tripwire software checks your system. Each rule in the policy file specifies a system object to be monitored. Rules also describe which changes to the object to report, and which to ignore. + +System objects are the files and directories you wish to monitor. Each object is identified by an object name. A property refers to a single characteristic of an object that Tripwire software can monitor. Directives control conditional processing of sets of rules in a policy file. During installation, the text policy file is encrypted and renamed, and becomes the active policy file. + +The database file is an important component of Tripwire software. When first installed, Tripwire software uses the policy file rules to create the database file. The database file is a baseline "snapshot" of the system in a known secure state. Tripwire software compares this baseline against the current system to determine what changes have occurred. This is an integrity check. + +When you perform an integrity check, Tripwire software produces report files. Report files summarize any changes that violated the policy file rules during the integrity check. You can view the report file in a variety of formats, at varying levels of detail. + +The Tripwire configuration file stores system-specific information, such as the location of Tripwire data files. Tripwire software generates some of the configuration file information during installation. The system administrator can change parameters in the configuration file at any time. The configuration file variables POLFILE, DBFILE, REPORTFILE, SITEKEYFILE, and LOCALKEYFILE specify where the policy file, database file, report files, and site and local key files reside. These variables must be defined or the configuration file is invalid. If any of these variables are undefined, an error occurs on execution of Tripwire software and the program exits. + +Tripwire Help +All Tripwire commands support the help arguments. Example: To get help with Create Configuration File mode, type: ./twadmin --help --create-cfgfile + +-? Display usage and version information +--help Display all command modes +--help all Display help for all command modes +--help [mode] Display help for current command mode +--version Display version information diff --git a/recipes-ids/tripwire/files/twcfg.txt b/recipes-ids/tripwire/files/twcfg.txt new file mode 100644 index 0000000..224e920 --- /dev/null +++ b/recipes-ids/tripwire/files/twcfg.txt @@ -0,0 +1,15 @@ +ROOT =/usr/sbin +POLFILE =/etc/tripwire/tw.pol +DBFILE =/var/lib/tripwire/$(HOSTNAME).twd +REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr +SITEKEYFILE =/etc/tripwire/site.key +LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key +EDITOR =/usr/bin/nano +LATEPROMPTING =false +LOOSEDIRECTORYCHECKING =false +MAILNOVIOLATIONS =true +EMAILREPORTLEVEL =3 +REPORTLEVEL =3 +MAILMETHOD =SENDMAIL +SYSLOGREPORTING =false +MAILPROGRAM =/usr/lib/sendmail -t diff --git a/recipes-ids/tripwire/files/twinstall.sh b/recipes-ids/tripwire/files/twinstall.sh new file mode 100644 index 0000000..7d1b63f --- /dev/null +++ b/recipes-ids/tripwire/files/twinstall.sh @@ -0,0 +1,320 @@ +#!/bin/sh + +######################################################################## +######################################################################## +## +## Tripwire(R) 2.3 for LINUX(R) Post-RPM installation script +## +## Copyleft information contained in footer +## +######################################################################## +######################################################################## + +##======================================================= +## Setup +##======================================================= + +# We can assume all the correct tools are in place because the +# RPM installed, didn't it? + +##------------------------------------------------------- +## Set HOST_NAME variable +##------------------------------------------------------- +HOST_NAME='localhost' +if uname -n > /dev/null 2> /dev/null ; then + HOST_NAME=`uname -n` +fi + +##------------------------------------------------------- +## Program variables - edited by RPM during initial install +##------------------------------------------------------- + +# Site Passphrase variable +TW_SITE_PASS="tripwire" + +# Complete path to site key +SITE_KEY="/etc/tripwire/site.key" + +# Local Passphrase variable +TW_LOCAL_PASS="tripwire" + +# Complete path to local key +LOCAL_KEY="/etc/tripwire/${HOST_NAME}-local.key" + +# If clobber==true, overwrite files; if false, do not overwrite files. +CLOBBER="false" + +# If prompt==true, ask for confirmation before continuing with install. +PROMPT="true" + +# Name of twadmin executeable +TWADMIN="twadmin" + +# Path to twadmin executeable +TWADMPATH=/usr/sbin + +# Path to configuration directory +CONF_PATH="/etc/tripwire" + +# Name of clear text policy file +TXT_POL=$CONF_PATH/twpol.txt + +# Name of clear text configuration file +TXT_CFG=$CONF_PATH/twcfg.txt + +# Name of encrypted configuration file +CONFIG_FILE=$CONF_PATH/tw.cfg + +# Path of the final Tripwire policy file (signed) +SIGNED_POL=`grep POLFILE $TXT_CFG | sed -e 's/^.*=\(.*\)/\1/'` + + +##======================================================= +## Create Key Files +##======================================================= + +##------------------------------------------------------- +## If user has to enter a passphrase, give some +## advice about what is appropriate. +##------------------------------------------------------- + +if [ -z "$TW_SITE_PASS" ] || [ -z "$TW_LOCAL_PASS" ]; then +cat << END_OF_TEXT + +---------------------------------------------- +The Tripwire site and local passphrases are used to +sign a variety of files, such as the configuration, +policy, and database files. + +Passphrases should be at least 8 characters in length +and contain both letters and numbers. + +See the Tripwire manual for more information. +END_OF_TEXT +fi + +##======================================================= +## Generate keys. +##======================================================= + +echo +echo "----------------------------------------------" +echo "Creating key files..." + +##------------------------------------------------------- +## Site key file. +##------------------------------------------------------- + +# If clobber is true, and prompting is off (unattended operation) +# and the key file already exists, remove it. Otherwise twadmin +# will prompt with an "are you sure?" message. + +if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$SITE_KEY" ] ; then + rm -f "$SITE_KEY" +fi + +if [ -f "$SITE_KEY" ] && [ "$CLOBBER" = "false" ] ; then + echo "The site key file \"$SITE_KEY\"" + echo 'exists and will not be overwritten.' +else + cmdargs="--generate-keys --site-keyfile \"$SITE_KEY\"" + if [ -n "$TW_SITE_PASS" ] ; then + cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" + fi + eval "\"$TWADMPATH/$TWADMIN\" $cmdargs" + if [ $? -ne 0 ] ; then + echo "Error: site key generation failed" + exit 1 + else chmod 640 "$SITE_KEY" + fi +fi + +##------------------------------------------------------- +## Local key file. +##------------------------------------------------------- + +# If clobber is true, and prompting is off (unattended operation) +# and the key file already exists, remove it. Otherwise twadmin +# will prompt with an "are you sure?" message. + +if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$LOCAL_KEY" ] ; then + rm -f "$LOCAL_KEY" +fi + +if [ -f "$LOCAL_KEY" ] && [ "$CLOBBER" = "false" ] ; then + echo "The site key file \"$LOCAL_KEY\"" + echo 'exists and will not be overwritten.' +else + cmdargs="--generate-keys --local-keyfile \"$LOCAL_KEY\"" + if [ -n "$TW_LOCAL_PASS" ] ; then + cmdargs="$cmdargs --local-passphrase \"$TW_LOCAL_PASS\"" + fi + eval "\"$TWADMPATH/$TWADMIN\" $cmdargs" + if [ $? -ne 0 ] ; then + echo "Error: local key generation failed" + exit 1 + else chmod 640 "$LOCAL_KEY" + fi +fi + +##======================================================= +## Sign the Configuration File +##======================================================= + +echo +echo "----------------------------------------------" +echo "Signing configuration file..." + +##------------------------------------------------------- +## If noclobber, then backup any existing config file. +##------------------------------------------------------- + +if [ "$CLOBBER" = "false" ] && [ -s "$CONFIG_FILE" ] ; then + backup="${CONFIG_FILE}.$$.bak" + echo "Backing up $CONFIG_FILE" + echo " to $backup" + `mv "$CONFIG_FILE" "$backup"` + if [ $? -ne 0 ] ; then + echo "Error: backup of configuration file failed." + exit 1 + fi +fi + +##------------------------------------------------------- +## Build command line. +##------------------------------------------------------- + +cmdargs="--create-cfgfile" +cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\"" +cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\"" +if [ -n "$TW_SITE_PASS" ] ; then + cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" +fi + +##------------------------------------------------------- +## Sign the file. +##------------------------------------------------------- + +eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_CFG\"" +if [ $? -ne 0 ] ; then + echo "Error: signing of configuration file failed." + exit 1 +fi + +# Set the rights properly +chmod 640 "$CONFIG_FILE" + +##------------------------------------------------------- +## We keep the cleartext version around. +##------------------------------------------------------- + +cat << END_OF_TEXT + +A clear-text version of the Tripwire configuration file +$TXT_CFG +has been preserved for your inspection. It is recommended +that you delete this file manually after you have examined it. + +END_OF_TEXT + +##======================================================= +## Sign tripwire policy file. +##======================================================= + +echo +echo "----------------------------------------------" +echo "Signing policy file..." + +##------------------------------------------------------- +## If noclobber, then backup any existing policy file. +##------------------------------------------------------- + +if [ "$CLOBBER" = "false" ] && [ -s "$POLICY_FILE" ] ; then + backup="${POLICY_FILE}.$$.bak" + echo "Backing up $POLICY_FILE" + echo " to $backup" + mv "$POLICY_FILE" "$backup" + if [ $? -ne 0 ] ; then + echo "Error: backup of policy file failed." + exit 1 + fi +fi + +##------------------------------------------------------- +## Build command line. +##------------------------------------------------------- + +cmdargs="--create-polfile" +cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\"" +cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\"" +if [ -n "$TW_SITE_PASS" ] ; then + cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" +fi + +##------------------------------------------------------- +## Sign the file. +##------------------------------------------------------- + +eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_POL\"" +if [ $? -ne 0 ] ; then + echo "Error: signing of policy file failed." + exit 1 +fi + +# Set the proper rights on the newly signed policy file. +chmod 0640 "$SIGNED_POL" + +##------------------------------------------------------- +## We keep the cleartext version around. +##------------------------------------------------------- + +cat << END_OF_TEXT + +A clear-text version of the Tripwire policy file +$TXT_POL +has been preserved for your inspection. This implements +a minimal policy, intended only to test essential +Tripwire functionality. You should edit the policy file +to describe your system, and then use twadmin to generate +a new signed copy of the Tripwire policy. + +END_OF_TEXT + +# Initialize tripwire database +/usr/sbin/tripwire --init --cfgfile $CONFIG_FILE --site-keyfile $SITE_KEY \ +--local-passphrase $TW_LOCAL_PASS 2> /dev/null + +######################################################################## +######################################################################## +# +# TRIPWIRE GPL NOTICES +# +# The developer of the original code and/or files is Tripwire, Inc. +# Portions created by Tripwire, Inc. are copyright 2000 Tripwire, Inc. +# Tripwire is a registered trademark of Tripwire, Inc. All rights reserved. +# +# This program is free software. The contents of this file are subject to +# the terms of the GNU General Public License as published by the Free +# Software Foundation; either version 2 of the License, or (at your option) +# any later version. You may redistribute it and/or modify it only in +# compliance with the GNU General Public License. +# +# This program is distributed in the hope that it will be useful. However, +# this program is distributed "AS-IS" WITHOUT ANY WARRANTY; INCLUDING THE +# IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +# Please see the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Nothing in the GNU General Public License or any other license to use the +# code or files shall permit you to use Tripwire's trademarks, +# service marks, or other intellectual property without Tripwire's +# prior written consent. +# +# If you have any questions, please contact Tripwire, Inc. at either +# info@tripwire.org or www.tripwire.org. +# +######################################################################## +######################################################################## diff --git a/recipes-ids/tripwire/files/twpol-yocto.txt b/recipes-ids/tripwire/files/twpol-yocto.txt new file mode 100644 index 0000000..65f5f75 --- /dev/null +++ b/recipes-ids/tripwire/files/twpol-yocto.txt @@ -0,0 +1,1107 @@ + ############################################################################## + # ## +############################################################################## # +# # # +# Generic Policy file # # +# V1.2.0rh # # +# August 9, 2001 # # +# ## +############################################################################## + + + ############################################################################## + # ## +############################################################################## # +# # # +# This is the example Tripwire Policy file. It is intended as a place to # # +# start creating your own custom Tripwire Policy file. Referring to it as # # +# well as the Tripwire Policy Guide should give you enough information to # # +# make a good custom Tripwire Policy file that better covers your # # +# configuration and security needs. A text version of this policy file is # # +# called twpol.txt. # # +# # # +# Note that this file is tuned to an 'everything' install of Red Hat Linux. # # +# If run unmodified, this file should create no errors on database # # +# creation, or violations on a subsiquent integrity check. However, it is # # +# impossible for there to be one policy file for all machines, so this # # +# existing one errs on the side of security. Your Linux configuration will # # +# most likey differ from the one our policy file was tuned to, and will # # +# therefore require some editing of the default Tripwire Policy file. # # +# # # +# The example policy file is best run with 'Loose Directory Checking' # # +# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # # +# file. # # +# # # +# Email support is not included and must be added to this file. # # +# Add the 'emailto=' to the rule directive section of each rule (add a comma # # +# after the 'severity=' line and add an 'emailto=' and include the email # # +# addresses you want the violation reports to go to). Addresses are # # +# semi-colon delimited. # # +# ## +############################################################################## + + + + ############################################################################## + # ## +############################################################################## # +# # # +# Global Variable Definitions # # +# # # +# These are defined at install time by the installation script. You may # # +# Manually edit these if you are using this file directly and not from the # # +# installation script itself. # # +# ## +############################################################################## + +@@section GLOBAL +TWROOT=/usr/sbin; +TWBIN=/usr/sbin; +TWPOL="/etc/tripwire"; +TWDB="/var/lib/tripwire"; +TWSKEY="/etc/tripwire"; +TWLKEY="/etc/tripwire"; +TWREPORT="/var/lib/tripwire/report"; +HOSTNAME=localhost; + +@@section FS +SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change +SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set +SEC_BIN = $(ReadOnly) ; # Binaries that should not change +SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often +SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership +SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership +SIG_LOW = 33 ; # Non-critical files that are of minimal security impact +SIG_MED = 66 ; # Non-critical files that are of significant security impact +SIG_HI = 100 ; # Critical files that are significant points of vulnerability + + +# Tripwire Binaries +( + rulename = "Tripwire Binaries", + severity = $(SIG_HI) +) +{ + $(TWBIN)/siggen -> $(SEC_BIN) ; + $(TWBIN)/tripwire -> $(SEC_BIN) ; + $(TWBIN)/twadmin -> $(SEC_BIN) ; + $(TWBIN)/twprint -> $(SEC_BIN) ; +} + +# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases +( + rulename = "Tripwire Data Files", + severity = $(SIG_HI) +) +{ + # NOTE: We remove the inode attribute because when Tripwire creates a backup, + # it does so by renaming the old file and creating a new one (which will + # have a new inode number). Inode is left turned on for keys, which shouldn't + # ever change. + + # NOTE: The first integrity check triggers this rule and each integrity check + # afterward triggers this rule until a database update is run, since the + # database file does not exist before that point. + + $(TWDB) -> $(SEC_CONFIG) -i ; + $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; + $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; + $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; + $(TWSKEY)/site.key -> $(SEC_BIN) ; + + #don't scan the individual reports + $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; +} + + +# Tripwire HQ Connector Binaries +#( +# rulename = "Tripwire HQ Connector Binaries", +# severity = $(SIG_HI) +#) +#{ +# $(TWBIN)/hqagent -> $(SEC_BIN) ; +#} +# +# Tripwire HQ Connector - Configuration Files, Keys, and Logs + + ############################################################################## + # ## +############################################################################## # +# # # +# Note: File locations here are different than in a stock HQ Connector # # +# installation. This is because Tripwire 2.3 uses a different path # # +# structure than Tripwire 2.2.1. # # +# # # +# You may need to update your HQ Agent configuation file (or this policy # # +# file) to correct the paths. We have attempted to support the FHS standard # # +# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # # +# places them. # # +# ## +############################################################################## + +#( +# rulename = "Tripwire HQ Connector Data Files", +# severity = $(SIG_HI) +#) +#{ +# ############################################################################# +# ############################################################################## +# # NOTE: Removing the inode attribute because when Tripwire creates a backup ## +# # it does so by renaming the old file and creating a new one (which will ## +# # have a new inode number). Leaving inode turned on for keys, which ## +# # shouldn't ever change. ## +# ############################################################################# +# +# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; +# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; +# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; +# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; +# +# # Uncomment if you have agent logging enabled. +# #/var/log/tripwire/agent.log -> $(SEC_LOG) ; +#} + + + +# Commonly accessed directories that should remain static with regards to owner and group +( + rulename = "Invariant Directories", + severity = $(SIG_MED) +) +{ + / -> $(SEC_INVARIANT) (recurse = 0) ; + /home -> $(SEC_INVARIANT) (recurse = 0) ; + /etc -> $(SEC_INVARIANT) (recurse = 0) ; +} + ################################################ + # ## +################################################ # +# # # +# File System and Disk Administration Programs # # +# ## +################################################ + +( + rulename = "File System and Disk Administraton Programs", + severity = $(SIG_HI) +) +{ + /sbin/accton -> $(SEC_CRIT) ; + /sbin/badblocks -> $(SEC_CRIT) ; + /sbin/busybox -> $(SEC_CRIT) ; + /sbin/busybox.anaconda -> $(SEC_CRIT) ; + /sbin/convertquota -> $(SEC_CRIT) ; + /sbin/dosfsck -> $(SEC_CRIT) ; + /sbin/debugfs -> $(SEC_CRIT) ; + /sbin/debugreiserfs -> $(SEC_CRIT) ; + /sbin/dumpe2fs -> $(SEC_CRIT) ; + /sbin/dump -> $(SEC_CRIT) ; + /sbin/dump.static -> $(SEC_CRIT) ; + # /sbin/e2fsadm -> $(SEC_CRIT) ; tune2fs? + /sbin/e2fsck -> $(SEC_CRIT) ; + /sbin/e2label -> $(SEC_CRIT) ; + /sbin/fdisk -> $(SEC_CRIT) ; + /sbin/fsck -> $(SEC_CRIT) ; + /sbin/fsck.ext2 -> $(SEC_CRIT) ; + /sbin/fsck.ext3 -> $(SEC_CRIT) ; + /sbin/fsck.minix -> $(SEC_CRIT) ; + /sbin/fsck.msdos -> $(SEC_CRIT) ; + /sbin/fsck.vfat -> $(SEC_CRIT) ; + /sbin/ftl_check -> $(SEC_CRIT) ; + /sbin/ftl_format -> $(SEC_CRIT) ; + /sbin/hdparm -> $(SEC_CRIT) ; + #/sbin/lvchange -> $(SEC_CRIT) ; + #/sbin/lvcreate -> $(SEC_CRIT) ; + #/sbin/lvdisplay -> $(SEC_CRIT) ; + #/sbin/lvextend -> $(SEC_CRIT) ; + #/sbin/lvmchange -> $(SEC_CRIT) ; + #/sbin/lvmcreate_initrd -> $(SEC_CRIT) ; + #/sbin/lvmdiskscan -> $(SEC_CRIT) ; + #/sbin/lvmsadc -> $(SEC_CRIT) ; + #/sbin/lvmsar -> $(SEC_CRIT) ; + #/sbin/lvreduce -> $(SEC_CRIT) ; + #/sbin/lvremove -> $(SEC_CRIT) ; + #/sbin/lvrename -> $(SEC_CRIT) ; + #/sbin/lvscan -> $(SEC_CRIT) ; + /sbin/mkbootdisk -> $(SEC_CRIT) ; + /sbin/mkdosfs -> $(SEC_CRIT) ; + /sbin/mke2fs -> $(SEC_CRIT) ; + /sbin/mkfs -> $(SEC_CRIT) ; + /sbin/mkfs.bfs -> $(SEC_CRIT) ; + /sbin/mkfs.ext2 -> $(SEC_CRIT) ; + /sbin/mkfs.minix -> $(SEC_CRIT) ; + /sbin/mkfs.msdos -> $(SEC_CRIT) ; + /sbin/mkfs.vfat -> $(SEC_CRIT) ; + /sbin/mkinitrd -> $(SEC_CRIT) ; + #/sbin/mkpv -> $(SEC_CRIT) ; + /sbin/mkraid -> $(SEC_CRIT) ; + /sbin/mkreiserfs -> $(SEC_CRIT) ; + /sbin/mkswap -> $(SEC_CRIT) ; + #/sbin/mtx -> $(SEC_CRIT) ; + /sbin/pam_console_apply -> $(SEC_CRIT) ; + /sbin/parted -> $(SEC_CRIT) ; + /sbin/pcinitrd -> $(SEC_CRIT) ; + #/sbin/pvchange -> $(SEC_CRIT) ; + #/sbin/pvcreate -> $(SEC_CRIT) ; + #/sbin/pvdata -> $(SEC_CRIT) ; + #/sbin/pvdisplay -> $(SEC_CRIT) ; + #/sbin/pvmove -> $(SEC_CRIT) ; + #/sbin/pvscan -> $(SEC_CRIT) ; + /sbin/quotacheck -> $(SEC_CRIT) ; + /sbin/quotaon -> $(SEC_CRIT) ; + /sbin/raidstart -> $(SEC_CRIT) ; + /sbin/reiserfsck -> $(SEC_CRIT) ; + /sbin/resize2fs -> $(SEC_CRIT) ; + /sbin/resize_reiserfs -> $(SEC_CRIT) ; + /sbin/restore -> $(SEC_CRIT) ; + /sbin/restore.static -> $(SEC_CRIT) ; + /sbin/scsi_info -> $(SEC_CRIT) ; + /sbin/sfdisk -> $(SEC_CRIT) ; + /sbin/stinit -> $(SEC_CRIT) ; + #/sbin/tapeinfo -> $(SEC_CRIT) ; + /sbin/tune2fs -> $(SEC_CRIT) ; + /sbin/unpack -> $(SEC_CRIT) ; + /sbin/update -> $(SEC_CRIT) ; + #/sbin/vgcfgbackup -> $(SEC_CRIT) ; + #/sbin/vgcfgrestore -> $(SEC_CRIT) ; + #/sbin/vgchange -> $(SEC_CRIT) ; + #/sbin/vgck -> $(SEC_CRIT) ; + #/sbin/vgcreate -> $(SEC_CRIT) ; + #/sbin/vgdisplay -> $(SEC_CRIT) ; + #/sbin/vgexport -> $(SEC_CRIT) ; + #/sbin/vgextend -> $(SEC_CRIT) ; + #/sbin/vgimport -> $(SEC_CRIT) ; + #/sbin/vgmerge -> $(SEC_CRIT) ; + #/sbin/vgmknodes -> $(SEC_CRIT) ; + #/sbin/vgreduce -> $(SEC_CRIT) ; + #/sbin/vgremove -> $(SEC_CRIT) ; + #/sbin/vgrename -> $(SEC_CRIT) ; + #/sbin/vgscan -> $(SEC_CRIT) ; + #/sbin/vgsplit -> $(SEC_CRIT) ; + /bin/chgrp -> $(SEC_CRIT) ; + /bin/chmod -> $(SEC_CRIT) ; + /bin/chown -> $(SEC_CRIT) ; + /bin/cp -> $(SEC_CRIT) ; + /bin/cpio -> $(SEC_CRIT) ; + /bin/mount -> $(SEC_CRIT) ; + /bin/umount -> $(SEC_CRIT) ; + /bin/mkdir -> $(SEC_CRIT) ; + /bin/mknod -> $(SEC_CRIT) ; + /bin/mktemp -> $(SEC_CRIT) ; + /bin/rm -> $(SEC_CRIT) ; + /bin/rmdir -> $(SEC_CRIT) ; + /bin/touch -> $(SEC_CRIT) ; +} + + ################################## + # ## +################################## # +# # # +# Kernel Administration Programs # # +# ## +################################## + +( + rulename = "Kernel Administration Programs", + severity = $(SIG_HI) +) +{ + /sbin/adjtimex -> $(SEC_CRIT) ; + /sbin/ctrlaltdel -> $(SEC_CRIT) ; + /sbin/depmod -> $(SEC_CRIT) ; + /sbin/insmod -> $(SEC_CRIT) ; + /sbin/insmod.static -> $(SEC_CRIT) ; + /sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ; + /sbin/klogd -> $(SEC_CRIT) ; + /sbin/ldconfig -> $(SEC_CRIT) ; + /sbin/minilogd -> $(SEC_CRIT) ; + /sbin/modinfo -> $(SEC_CRIT) ; + #/sbin/nuactlun -> $(SEC_CRIT) ; + #/sbin/nuscsitcpd -> $(SEC_CRIT) ; + /sbin/pivot_root -> $(SEC_CRIT) ; + /sbin/sndconfig -> $(SEC_CRIT) ; + /sbin/sysctl -> $(SEC_CRIT) ; +} + + ####################### + # ## +####################### # +# # # +# Networking Programs # # +# ## +####################### + +( + rulename = "Networking Programs", + severity = $(SIG_HI) +) +{ + /etc/sysconfig/network-scripts/ifdown -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-cipcb -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-ippp -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-ipv6 -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-isdn -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-post -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-ppp -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-sit -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-sl -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-aliases -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-cipcb -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-ippp -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-ipv6 -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-isdn -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-plip -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-plusb -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-post -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-ppp -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-routes -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-sit -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-sl -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-wireless -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/network-functions -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/network-functions-ipv6 -> $(SEC_CRIT) ; + /bin/ping -> $(SEC_CRIT) ; + /sbin/agetty -> $(SEC_CRIT) ; + /sbin/arp -> $(SEC_CRIT) ; + /sbin/arping -> $(SEC_CRIT) ; + /sbin/dhcpcd -> $(SEC_CRIT) ; + /sbin/ether-wake -> $(SEC_CRIT) ; + #/sbin/getty -> $(SEC_CRIT) ; + /sbin/ifcfg -> $(SEC_CRIT) ; + /sbin/ifconfig -> $(SEC_CRIT) ; + /sbin/ifdown -> $(SEC_CRIT) ; + /sbin/ifenslave -> $(SEC_CRIT) ; + /sbin/ifport -> $(SEC_CRIT) ; + /sbin/ifup -> $(SEC_CRIT) ; + /sbin/ifuser -> $(SEC_CRIT) ; + /sbin/ip -> $(SEC_CRIT) ; + /sbin/ip6tables -> $(SEC_CRIT) ; + /sbin/ipchains -> $(SEC_CRIT) ; + /sbin/ipchains-restore -> $(SEC_CRIT) ; + /sbin/ipchains-save -> $(SEC_CRIT) ; + /sbin/ipfwadm -> $(SEC_CRIT) ; + /sbin/ipmaddr -> $(SEC_CRIT) ; + /sbin/iptables -> $(SEC_CRIT) ; + /sbin/iptables-restore -> $(SEC_CRIT) ; + /sbin/iptables-save -> $(SEC_CRIT) ; + /sbin/iptunnel -> $(SEC_CRIT) ; + #/sbin/ipvsadm -> $(SEC_CRIT) ; + #/sbin/ipvsadm-restore -> $(SEC_CRIT) ; + #/sbin/ipvsadm-save -> $(SEC_CRIT) ; + /sbin/ipx_configure -> $(SEC_CRIT) ; + /sbin/ipx_interface -> $(SEC_CRIT) ; + /sbin/ipx_internal_net -> $(SEC_CRIT) ; + /sbin/iwconfig -> $(SEC_CRIT) ; + /sbin/iwgetid -> $(SEC_CRIT) ; + /sbin/iwlist -> $(SEC_CRIT) ; + /sbin/iwpriv -> $(SEC_CRIT) ; + /sbin/iwspy -> $(SEC_CRIT) ; + /sbin/mgetty -> $(SEC_CRIT) ; + /sbin/mingetty -> $(SEC_CRIT) ; + /sbin/nameif -> $(SEC_CRIT) ; + /sbin/netreport -> $(SEC_CRIT) ; + /sbin/plipconfig -> $(SEC_CRIT) ; + /sbin/portmap -> $(SEC_CRIT) ; + /sbin/ppp-watch -> $(SEC_CRIT) ; + #/sbin/rarp -> $(SEC_CRIT) ; + /sbin/route -> $(SEC_CRIT) ; + /sbin/slattach -> $(SEC_CRIT) ; + /sbin/tc -> $(SEC_CRIT) ; + #/sbin/uugetty -> $(SEC_CRIT) ; + /sbin/vgetty -> $(SEC_CRIT) ; + /sbin/ypbind -> $(SEC_CRIT) ; +} + + ################################## + # ## +################################## # +# # # +# System Administration Programs # # +# ## +################################## + +( + rulename = "System Administration Programs", + severity = $(SIG_HI) +) +{ + /sbin/chkconfig -> $(SEC_CRIT) ; + /sbin/fuser -> $(SEC_CRIT) ; + /sbin/halt -> $(SEC_CRIT) ; + /sbin/init -> $(SEC_CRIT) ; + /sbin/initlog -> $(SEC_CRIT) ; + /sbin/install-info -> $(SEC_CRIT) ; + /sbin/killall5 -> $(SEC_CRIT) ; + #/sbin/linuxconf -> $(SEC_CRIT) ; + #/sbin/linuxconf-auth -> $(SEC_CRIT) ; + /sbin/pam_tally -> $(SEC_CRIT) ; + /sbin/pwdb_chkpwd -> $(SEC_CRIT) ; + #/sbin/remadmin -> $(SEC_CRIT) ; + /sbin/rescuept -> $(SEC_CRIT) ; + /sbin/rmt -> $(SEC_CRIT) ; + /sbin/rpc.lockd -> $(SEC_CRIT) ; + /sbin/rpc.statd -> $(SEC_CRIT) ; + /sbin/rpcdebug -> $(SEC_CRIT) ; + /sbin/service -> $(SEC_CRIT) ; + /sbin/setsysfont -> $(SEC_CRIT) ; + /sbin/shutdown -> $(SEC_CRIT) ; + /sbin/sulogin -> $(SEC_CRIT) ; + /sbin/swapon -> $(SEC_CRIT) ; + /sbin/syslogd -> $(SEC_CRIT) ; + /sbin/unix_chkpwd -> $(SEC_CRIT) ; + /bin/pwd -> $(SEC_CRIT) ; + /bin/uname -> $(SEC_CRIT) ; +} + + ######################################## + # ## +######################################## # +# # # +# Hardware and Device Control Programs # # +# ## +######################################## +( + rulename = "Hardware and Device Control Programs", + severity = $(SIG_HI) +) +{ + /bin/setserial -> $(SEC_CRIT) ; + /bin/sfxload -> $(SEC_CRIT) ; + /sbin/blockdev -> $(SEC_CRIT) ; + /sbin/cardctl -> $(SEC_CRIT) ; + /sbin/cardmgr -> $(SEC_CRIT) ; + /sbin/cbq -> $(SEC_CRIT) ; + /sbin/dump_cis -> $(SEC_CRIT) ; + /sbin/elvtune -> $(SEC_CRIT) ; + /sbin/hotplug -> $(SEC_CRIT) ; + /sbin/hwclock -> $(SEC_CRIT) ; + /sbin/ide_info -> $(SEC_CRIT) ; + #/sbin/isapnp -> $(SEC_CRIT) ; + /sbin/kbdrate -> $(SEC_CRIT) ; + /sbin/losetup -> $(SEC_CRIT) ; + /sbin/lspci -> $(SEC_CRIT) ; + /sbin/lspnp -> $(SEC_CRIT) ; + /sbin/mii-tool -> $(SEC_CRIT) ; + /sbin/pack_cis -> $(SEC_CRIT) ; + #/sbin/pnpdump -> $(SEC_CRIT) ; + /sbin/probe -> $(SEC_CRIT) ; + /sbin/pump -> $(SEC_CRIT) ; + /sbin/setpci -> $(SEC_CRIT) ; + /sbin/shapecfg -> $(SEC_CRIT) ; +} + + ############################### + # ## +############################### # +# # # +# System Information Programs # # +# ## +############################### +( + rulename = "System Information Programs", + severity = $(SIG_HI) +) +{ + /sbin/consoletype -> $(SEC_CRIT) ; + /sbin/kernelversion -> $(SEC_CRIT) ; + /sbin/runlevel -> $(SEC_CRIT) ; +} + + #################################### + # ## +#################################### # +# # # +# Application Information Programs # # +# ## +#################################### + +( + rulename = "Application Information Programs", + severity = $(SIG_HI) +) +{ + /sbin/genksyms -> $(SEC_CRIT) ; + #/sbin/genksyms.old -> $(SEC_CRIT) ; + /sbin/rtmon -> $(SEC_CRIT) ; +} + + ########################## + # ## +########################## # +# # # +# Shell Related Programs # # +# ## +########################## +( + rulename = "Shell Related Programs", + severity = $(SIG_HI) +) +{ + /sbin/getkey -> $(SEC_CRIT) ; + /sbin/nash -> $(SEC_CRIT) ; + /sbin/sash -> $(SEC_CRIT) ; +} + + + ################ + # ## +################ # +# # # +# OS Utilities # # +# ## +################ +( + rulename = "Operating System Utilities", + severity = $(SIG_HI) +) +{ + /bin/arch -> $(SEC_CRIT) ; + /bin/ash -> $(SEC_CRIT) ; + /bin/ash.static -> $(SEC_CRIT) ; + /bin/aumix-minimal -> $(SEC_CRIT) ; + /bin/basename -> $(SEC_CRIT) ; + /bin/cat -> $(SEC_CRIT) ; + /bin/consolechars -> $(SEC_CRIT) ; + /bin/cut -> $(SEC_CRIT) ; + /bin/date -> $(SEC_CRIT) ; + /bin/dd -> $(SEC_CRIT) ; + /bin/df -> $(SEC_CRIT) ; + /bin/dmesg -> $(SEC_CRIT) ; + /bin/doexec -> $(SEC_CRIT) ; + /bin/echo -> $(SEC_CRIT) ; + /bin/ed -> $(SEC_CRIT) ; + /bin/egrep -> $(SEC_CRIT) ; + /bin/false -> $(SEC_CRIT) ; + /bin/fgrep -> $(SEC_CRIT) ; + /bin/gawk -> $(SEC_CRIT) ; + /bin/gawk-3.1.0 -> $(SEC_CRIT) ; + /bin/gettext -> $(SEC_CRIT) ; + /bin/grep -> $(SEC_CRIT) ; + /bin/gunzip -> $(SEC_CRIT) ; + /bin/gzip -> $(SEC_CRIT) ; + /bin/hostname -> $(SEC_CRIT) ; + /bin/igawk -> $(SEC_CRIT) ; + /bin/ipcalc -> $(SEC_CRIT) ; + /bin/kill -> $(SEC_CRIT) ; + /bin/ln -> $(SEC_CRIT) ; + /bin/loadkeys -> $(SEC_CRIT) ; + /bin/login -> $(SEC_CRIT) ; + /bin/ls -> $(SEC_CRIT) ; + /bin/mail -> $(SEC_CRIT) ; + /bin/more -> $(SEC_CRIT) ; + /bin/mt -> $(SEC_CRIT) ; + /bin/mv -> $(SEC_CRIT) ; + /bin/netstat -> $(SEC_CRIT) ; + /bin/nice -> $(SEC_CRIT) ; + /bin/pgawk -> $(SEC_CRIT) ; + /bin/ps -> $(SEC_CRIT) ; + /bin/rpm -> $(SEC_CRIT) ; + /bin/sed -> $(SEC_CRIT) ; + /bin/sleep -> $(SEC_CRIT) ; + /bin/sort -> $(SEC_CRIT) ; + /bin/stty -> $(SEC_CRIT) ; + /bin/su -> $(SEC_CRIT) ; + /bin/sync -> $(SEC_CRIT) ; + /bin/tar -> $(SEC_CRIT) ; + /bin/true -> $(SEC_CRIT) ; + /bin/usleep -> $(SEC_CRIT) ; + /bin/vi -> $(SEC_CRIT) ; + /bin/zcat -> $(SEC_CRIT) ; + /bin/zsh -> $(SEC_CRIT) ; + #/bin/zsh-4.0.2 -> $(SEC_CRIT) ; + /sbin/sln -> $(SEC_CRIT) ; + /usr/bin/vimtutor -> $(SEC_CRIT) ; +} + + ############################## + # ## +############################## # +# # # +# Critical Utility Sym-Links # # +# ## +############################## +( + rulename = "Critical Utility Sym-Links", + severity = $(SIG_HI) +) +{ + #/sbin/askrunlevel -> $(SEC_CRIT) ; + /sbin/clock -> $(SEC_CRIT) ; + #/sbin/fixperm -> $(SEC_CRIT) ; + /sbin/fsck.reiserfs -> $(SEC_CRIT) ; + #/sbin/fsconf -> $(SEC_CRIT) ; + /sbin/ipfwadm-wrapper -> $(SEC_CRIT) ; + /sbin/kallsyms -> $(SEC_CRIT) ; + /sbin/ksyms -> $(SEC_CRIT) ; + /sbin/lsmod -> $(SEC_CRIT) ; + #/sbin/mailconf -> $(SEC_CRIT) ; + /sbin/mkfs.reiserfs -> $(SEC_CRIT) ; + #/sbin/modemconf -> $(SEC_CRIT) ; + /sbin/modprobe -> $(SEC_CRIT) ; + /sbin/mount.ncp -> $(SEC_CRIT) ; + /sbin/mount.ncpfs -> $(SEC_CRIT) ; + /sbin/mount.smb -> $(SEC_CRIT) ; + /sbin/mount.smbfs -> $(SEC_CRIT) ; + #/sbin/netconf -> $(SEC_CRIT) ; + /sbin/pidof -> $(SEC_CRIT) ; + /sbin/poweroff -> $(SEC_CRIT) ; + /sbin/quotaoff -> $(SEC_CRIT) ; + /sbin/raid0run -> $(SEC_CRIT) ; + /sbin/raidhotadd -> $(SEC_CRIT) ; + /sbin/raidhotgenerateerror -> $(SEC_CRIT) ; + /sbin/raidhotremove -> $(SEC_CRIT) ; + /sbin/raidstop -> $(SEC_CRIT) ; + /sbin/rdump -> $(SEC_CRIT) ; + /sbin/rdump.static -> $(SEC_CRIT) ; + /sbin/reboot -> $(SEC_CRIT) ; + /sbin/rmmod -> $(SEC_CRIT) ; + /sbin/rrestore -> $(SEC_CRIT) ; + /sbin/rrestore.static -> $(SEC_CRIT) ; + /sbin/swapoff -> $(SEC_CRIT) ; + /sbin/telinit -> $(SEC_CRIT) ; + #/sbin/userconf -> $(SEC_CRIT) ; + #/sbin/uucpconf -> $(SEC_CRIT) ; + #/sbin/vregistry -> $(SEC_CRIT) ; + /bin/awk -> $(SEC_CRIT) ; + /bin/bash2 -> $(SEC_CRIT) ; + /bin/bsh -> $(SEC_CRIT) ; + /bin/csh -> $(SEC_CRIT) ; + /bin/dnsdomainname -> $(SEC_CRIT) ; + /bin/domainname -> $(SEC_CRIT) ; + /bin/ex -> $(SEC_CRIT) ; + /bin/gtar -> $(SEC_CRIT) ; + /bin/nisdomainname -> $(SEC_CRIT) ; + /bin/red -> $(SEC_CRIT) ; + /bin/rvi -> $(SEC_CRIT) ; + /bin/rview -> $(SEC_CRIT) ; + /bin/view -> $(SEC_CRIT) ; + /bin/ypdomainname -> $(SEC_CRIT) ; +} + + + ######################### + # ## +######################### # +# # # +# Temporary directories # # +# ## +######################### +( + rulename = "Temporary directories", + recurse = false, + severity = $(SIG_LOW) +) +{ + /usr/tmp -> $(SEC_INVARIANT) ; + /var/tmp -> $(SEC_INVARIANT) ; + /tmp -> $(SEC_INVARIANT) ; +} + + ############### + # ## +############### # +# # # +# Local files # # +# ## +############### +( + rulename = "User binaries", + severity = $(SIG_MED) +) +{ + /sbin -> $(SEC_BIN) (recurse = 1) ; + /usr/bin -> $(SEC_BIN) (recurse = 1) ; + /usr/sbin -> $(SEC_BIN) (recurse = 1) ; + /usr/local/bin -> $(SEC_BIN) (recurse = 1) ; +} + +( + rulename = "Shell Binaries", + severity = $(SIG_HI) +) +{ + /bin/bash -> $(SEC_BIN) ; + /bin/ksh -> $(SEC_BIN) ; + # /bin/psh -> $(SEC_BIN) ; # No longer used? + # /bin/Rsh -> $(SEC_BIN) ; # No longer used? + /bin/sh -> $(SEC_BIN) ; + # /bin/shell -> $(SEC_SUID) ; # No longer used? + # /bin/tsh -> $(SEC_BIN) ; # No longer used? + /bin/tcsh -> $(SEC_BIN) ; + /sbin/nologin -> $(SEC_BIN) ; +} + +( + rulename = "Security Control", + severity = $(SIG_HI) +) +{ + /etc/group -> $(SEC_CRIT) ; + /etc/security -> $(SEC_CRIT) ; + #/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists +} + +#( +# rulename = "Boot Scripts", +# severity = $(SIG_HI) +#) +#{ +# /etc/rc -> $(SEC_CONFIG) ; +# /etc/rc.bsdnet -> $(SEC_CONFIG) ; +# /etc/rc.dt -> $(SEC_CONFIG) ; +# /etc/rc.net -> $(SEC_CONFIG) ; +# /etc/rc.net.serial -> $(SEC_CONFIG) ; +# /etc/rc.nfs -> $(SEC_CONFIG) ; +# /etc/rc.powerfail -> $(SEC_CONFIG) ; +# /etc/rc.tcpip -> $(SEC_CONFIG) ; +# /etc/trcfmt.Z -> $(SEC_CONFIG) ; +#} + +( + rulename = "Login Scripts", + severity = $(SIG_HI) +) +{ + /etc/bashrc -> $(SEC_CONFIG) ; + /etc/csh.cshrc -> $(SEC_CONFIG) ; + /etc/csh.login -> $(SEC_CONFIG) ; + /etc/inputrc -> $(SEC_CONFIG) ; + # /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists + /etc/profile -> $(SEC_CONFIG) ; +} + +# Libraries +( + rulename = "Libraries", + severity = $(SIG_MED) +) +{ + /usr/lib -> $(SEC_BIN) ; + /usr/local/lib -> $(SEC_BIN) ; +} + + + ###################################################### + # ## +###################################################### # +# # # +# Critical System Boot Files # # +# These files are critical to a correct system boot. # # +# ## +###################################################### + +( + rulename = "Critical system boot files", + severity = $(SIG_HI) +) +{ + /boot -> $(SEC_CRIT) ; + #/sbin/devfsd -> $(SEC_CRIT) ; + /sbin/grub -> $(SEC_CRIT) ; + /sbin/grub-install -> $(SEC_CRIT) ; + /sbin/grub-md5-crypt -> $(SEC_CRIT) ; + /sbin/installkernel -> $(SEC_CRIT) ; + /sbin/lilo -> $(SEC_CRIT) ; + /sbin/mkkerneldoth -> $(SEC_CRIT) ; + !/boot/System.map ; + !/boot/module-info ; + /usr/share/grub/i386-redhat/e2fs_stage1_5 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/fat_stage1_5 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/ffs_stage1_5 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/minix_stage1_5 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/reiserfs_stage1_5 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/stage1 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/stage2 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/vstafs_stage1_5 -> $(SEC_CRIT) ; + # other boot files may exist. Look for: + #/ufsboot -> $(SEC_CRIT) ; +} + ################################################## + ################################################### + # These files change every time the system boots ## + ################################################## +( + rulename = "System boot changes", + severity = $(SIG_HI) +) +{ + !/var/run/ftp.pids-all ; # Comes and goes on reboot. + !/root/.enlightenment ; + /dev/log -> $(SEC_CONFIG) ; + /dev/cua0 -> $(SEC_CONFIG) ; + # /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device + /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. + /dev/tty1 -> $(SEC_CONFIG) ; # tty devices + /dev/tty2 -> $(SEC_CONFIG) ; # tty devices + /dev/tty3 -> $(SEC_CONFIG) ; # are extremely + /dev/tty4 -> $(SEC_CONFIG) ; # variable + /dev/tty5 -> $(SEC_CONFIG) ; + /dev/tty6 -> $(SEC_CONFIG) ; + /dev/urandom -> $(SEC_CONFIG) ; + /dev/initctl -> $(SEC_CONFIG) ; + /var/lock/subsys -> $(SEC_CONFIG) ; + #/var/lock/subsys/amd -> $(SEC_CONFIG) ; + /var/lock/subsys/anacron -> $(SEC_CONFIG) ; + /var/lock/subsys/apmd -> $(SEC_CONFIG) ; + #/var/lock/subsys/arpwatch -> $(SEC_CONFIG) ; + /var/lock/subsys/atd -> $(SEC_CONFIG) ; + /var/lock/subsys/autofs -> $(SEC_CONFIG) ; + #/var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ; + #/var/lock/subsys/bgpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/bootparamd -> $(SEC_CONFIG) ; + #/var/lock/subsys/canna -> $(SEC_CONFIG) ; + /var/lock/subsys/crond -> $(SEC_CONFIG) ; + #/var/lock/subsys/cWnn -> $(SEC_CONFIG) ; + #/var/lock/subsys/dhcpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/firewall -> $(SEC_CONFIG) ; + #/var/lock/subsys/freeWnn -> $(SEC_CONFIG) ; + #/var/lock/subsys/gated -> $(SEC_CONFIG) ; + /var/lock/subsys/gpm -> $(SEC_CONFIG) ; + #/var/lock/subsys/httpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/identd -> $(SEC_CONFIG) ; + #/var/lock/subsys/innd -> $(SEC_CONFIG) ; + /var/lock/subsys/ipchains -> $(SEC_CONFIG) ; + #/var/lock/subsys/iptables -> $(SEC_CONFIG) ; + #/var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ; + #/var/lock/subsys/irda -> $(SEC_CONFIG) ; + #/var/lock/subsys/iscsi -> $(SEC_CONFIG) ; + #/var/lock/subsys/isdn -> $(SEC_CONFIG) ; + #/var/lock/subsys/junkbuster -> $(SEC_CONFIG) ; + #/var/lock/subsys/kadmin -> $(SEC_CONFIG) ; + /var/lock/subsys/keytable -> $(SEC_CONFIG) ; + #/var/lock/subsys/kprop -> $(SEC_CONFIG) ; + #/var/lock/subsys/krb524 -> $(SEC_CONFIG) ; + #/var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ; + /var/lock/subsys/kudzu -> $(SEC_CONFIG) ; + #/var/lock/subsys/kWnn -> $(SEC_CONFIG) ; + #/var/lock/subsys/ldap -> $(SEC_CONFIG) ; + #/var/lock/subsys/linuxconf -> $(SEC_CONFIG) ; + #/var/lock/subsys/lpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ; + #/var/lock/subsys/mcserv -> $(SEC_CONFIG) ; + #/var/lock/subsys/mysqld -> $(SEC_CONFIG) ; + #/var/lock/subsys/named -> $(SEC_CONFIG) ; + /var/lock/subsys/netfs -> $(SEC_CONFIG) ; + /var/lock/subsys/network -> $(SEC_CONFIG) ; + #/var/lock/subsys/nfs -> $(SEC_CONFIG) ; + /var/lock/subsys/nfslock -> $(SEC_CONFIG) ; + #/var/lock/subsys/nscd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ntpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ospf6d -> $(SEC_CONFIG) ; + #/var/lock/subsys/ospfd -> $(SEC_CONFIG) ; + /var/lock/subsys/pcmcia -> $(SEC_CONFIG) ; + /var/lock/subsys/portmap -> $(SEC_CONFIG) ; + #/var/lock/subsys/postgresql -> $(SEC_CONFIG) ; + #/var/lock/subsys/pxe -> $(SEC_CONFIG) ; + #/var/lock/subsys/radvd -> $(SEC_CONFIG) ; + /var/lock/subsys/random -> $(SEC_CONFIG) ; + #/var/lock/subsys/rarpd -> $(SEC_CONFIG) ; + /var/lock/subsys/reconfig -> $(SEC_CONFIG) ; + /var/lock/subsys/rhnsd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ripd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ripngd -> $(SEC_CONFIG) ; + #/var/lock/subsys/routed -> $(SEC_CONFIG) ; + #/var/lock/subsys/rstatd -> $(SEC_CONFIG) ; + #/var/lock/subsys/rusersd -> $(SEC_CONFIG) ; + #/var/lock/subsys/rwalld -> $(SEC_CONFIG) ; + #/var/lock/subsys/rwhod -> $(SEC_CONFIG) ; + /var/lock/subsys/sendmail -> $(SEC_CONFIG) ; + #/var/lock/subsys/smb -> $(SEC_CONFIG) ; + #/var/lock/subsys/snmpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/squid -> $(SEC_CONFIG) ; + /var/lock/subsys/sshd -> $(SEC_CONFIG) ; + /var/lock/subsys/syslog -> $(SEC_CONFIG) ; + #/var/lock/subsys/tux -> $(SEC_CONFIG) ; + #/var/lock/subsys/tWnn -> $(SEC_CONFIG) ; + #/var/lock/subsys/ups -> $(SEC_CONFIG) ; + #/var/lock/subsys/vncserver -> $(SEC_CONFIG) ; + #/var/lock/subsys/wine -> $(SEC_CONFIG) ; + /var/lock/subsys/xfs -> $(SEC_CONFIG) ; + /var/lock/subsys/xinetd -> $(SEC_CONFIG) ; + /var/lock/subsys/ypbind -> $(SEC_CONFIG) ; + #/var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ypserv -> $(SEC_CONFIG) ; + #/var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ; + #/var/lock/subsys/zebra -> $(SEC_CONFIG) ; + /var/run -> $(SEC_CONFIG) ; + /var/log -> $(SEC_CONFIG) ; + /etc/ioctl.save -> $(SEC_CONFIG) ; + /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes + /etc/issue -> $(SEC_CONFIG) ; + /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount + /lib/modules -> $(SEC_CONFIG) ; + /etc/.pwd.lock -> $(SEC_CONFIG) ; + # /lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists +} + +# These files change the behavior of the root account +( + rulename = "Root config files", + severity = 100 +) +{ + /root -> $(SEC_CRIT) ; # Catch all additions to /root + #/root/.Xresources -> $(SEC_CONFIG) ; + /root/.bashrc -> $(SEC_CONFIG) ; + /root/.bash_profile -> $(SEC_CONFIG) ; + /root/.bash_logout -> $(SEC_CONFIG) ; + /root/.cshrc -> $(SEC_CONFIG) ; + /root/.tcshrc -> $(SEC_CONFIG) ; + /root/Mail -> $(SEC_CONFIG) ; + #/root/mail -> $(SEC_CONFIG) ; + #/root/.amandahosts -> $(SEC_CONFIG) ; + #/root/.addressbook.lu -> $(SEC_CONFIG) ; + #/root/.addressbook -> $(SEC_CONFIG) ; + /root/.bash_history -> $(SEC_CONFIG) ; + /root/.elm -> $(SEC_CONFIG) ; + #/root/.esd_auth -> $(SEC_CONFIG) ; + /root/.gnome_private -> $(SEC_CONFIG) ; + /root/.gnome-desktop -> $(SEC_CONFIG) ; + /root/.gnome -> $(SEC_CONFIG) ; + /root/.ICEauthority -> $(SEC_CONFIG) ; + #/root/.mc -> $(SEC_CONFIG) ; + #/root/.pinerc -> $(SEC_CONFIG) ; + /root/.sawfish -> $(SEC_CONFIG) ; + /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login + #/root/.xauth -> $(SEC_CONFIG) ; + /root/.xsession-errors -> $(SEC_CONFIG) ; +} + + ################################ + # ## +################################ # +# # # +# Critical configuration files # # +# ## +################################ +( + rulename = "Critical configuration files", + severity = $(SIG_HI) +) +{ + #/etc/conf.linuxconf -> $(SEC_BIN) ; + /etc/crontab -> $(SEC_BIN) ; + /etc/cron.hourly -> $(SEC_BIN) ; + /etc/cron.daily -> $(SEC_BIN) ; + /etc/cron.weekly -> $(SEC_BIN) ; + /etc/cron.monthly -> $(SEC_BIN) ; + /etc/default -> $(SEC_BIN) ; + /etc/fstab -> $(SEC_BIN) ; + /etc/exports -> $(SEC_BIN) ; + /etc/group- -> $(SEC_BIN) ; # changes should be infrequent + /etc/host.conf -> $(SEC_BIN) ; + /etc/hosts.allow -> $(SEC_BIN) ; + /etc/hosts.deny -> $(SEC_BIN) ; + /etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent + /etc/protocols -> $(SEC_BIN) ; + /etc/services -> $(SEC_BIN) ; + /etc/rc.d/init.d -> $(SEC_BIN) ; + /etc/rc.d -> $(SEC_BIN) ; + /etc/mail.rc -> $(SEC_BIN) ; + /etc/modules.conf -> $(SEC_BIN) ; + /etc/motd -> $(SEC_BIN) ; + /etc/named.conf -> $(SEC_BIN) ; + /etc/passwd -> $(SEC_CONFIG) ; + /etc/passwd- -> $(SEC_CONFIG) ; + /etc/profile.d -> $(SEC_BIN) ; + /var/lib/nfs/rmtab -> $(SEC_BIN) ; + /usr/sbin/fixrmtab -> $(SEC_BIN) ; + /etc/rpc -> $(SEC_BIN) ; + /etc/sysconfig -> $(SEC_BIN) ; + /etc/samba/smb.conf -> $(SEC_CONFIG) ; + #/etc/gettydefs -> $(SEC_BIN) ; + /etc/nsswitch.conf -> $(SEC_BIN) ; + /etc/yp.conf -> $(SEC_BIN) ; + /etc/hosts -> $(SEC_CONFIG) ; + /etc/xinetd.conf -> $(SEC_CONFIG) ; + /etc/inittab -> $(SEC_CONFIG) ; + /etc/resolv.conf -> $(SEC_CONFIG) ; + /etc/syslog.conf -> $(SEC_CONFIG) ; +} + + #################### + # ## +#################### # +# # # +# Critical devices # # +# ## +#################### +( + rulename = "Critical devices", + severity = $(SIG_HI), + recurse = false +) +{ + /dev/kmem -> $(Device) ; + /dev/mem -> $(Device) ; + /dev/null -> $(Device) ; + /dev/zero -> $(Device) ; + /proc/devices -> $(Device) ; + /proc/net -> $(Device) ; + /proc/sys -> $(Device) ; + /proc/cpuinfo -> $(Device) ; + /proc/modules -> $(Device) ; + /proc/mounts -> $(Device) ; + /proc/dma -> $(Device) ; + /proc/filesystems -> $(Device) ; + /proc/pci -> $(Device) ; + /proc/interrupts -> $(Device) ; + /proc/driver/rtc -> $(Device) ; + /proc/ioports -> $(Device) ; + #/proc/scsi -> $(Device) ; + /proc/kcore -> $(Device) ; + /proc/self -> $(Device) ; + /proc/kmsg -> $(Device) ; + /proc/stat -> $(Device) ; + /proc/ksyms -> $(Device) ; + /proc/loadavg -> $(Device) ; + /proc/uptime -> $(Device) ; + /proc/locks -> $(Device) ; + /proc/version -> $(Device) ; + /proc/mdstat -> $(Device) ; + /proc/meminfo -> $(Device) ; + /proc/cmdline -> $(Device) ; + /proc/misc -> $(Device) ; +} + +# Rest of critical system binaries +( + rulename = "OS executables and libraries", + severity = $(SIG_HI) +) +{ + /bin -> $(SEC_BIN) ; + /lib -> $(SEC_BIN) ; +} + +#============================================================================= +# +# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, +# Inc. in the United States and other countries. All rights reserved. +# +# Linux is a registered trademark of Linus Torvalds. +# +# UNIX is a registered trademark of The Open Group. +# +#============================================================================= +# +# Permission is granted to make and distribute verbatim copies of this document +# provided the copyright notice and this permission notice are preserved on all +# copies. +# +# Permission is granted to copy and distribute modified versions of this +# document under the conditions for verbatim copying, provided that the entire +# resulting derived work is distributed under the terms of a permission notice +# identical to this one. +# +# Permission is granted to copy and distribute translations of this document +# into another language, under the above conditions for modified versions, +# except that this permission notice may be stated in a translation approved by +# Tripwire, Inc. +# +# DCM +# +# $Id: twpol-GENERIC.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $ +# diff --git a/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/recipes-ids/tripwire/tripwire_2.4.3.7.bb new file mode 100644 index 0000000..c26392a --- /dev/null +++ b/recipes-ids/tripwire/tripwire_2.4.3.7.bb @@ -0,0 +1,74 @@ +SUMMARY = "Tripwire: A system integrity assessment tool (IDS)" +DESCRIPTION = "Open Source Tripwire® software is a security and data \ +integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems" +HOMEPAGE="http://sourceforge.net/projects/tripwire" +SECTION = "security Monitor/Admin" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=1c069be8dbbe48e89b580ab4ed86c127" + +SRCREV = "6e64a9e5b70a909ec439bc5a099e3fcf38c614b0" + +SRC_URI = "\ + git://github.com/Tripwire/tripwire-open-source.git \ + file://tripwire.cron \ + file://tripwire.sh \ + file://tripwire.txt \ + file://twcfg.txt \ + file://twinstall.sh \ + file://twpol-yocto.txt \ + file://run-ptest \ + " + +S = "${WORKDIR}/git" + +inherit autotools-brokensep update-rc.d ptest + +INITSCRIPT_NAME = "tripwire" +INITSCRIPT_PARAMS = "start 40 S ." +TRIPWIRE_HOST = "${HOST_SYS}" +TRIPWIRE_TARGET = "${TARGET_SYS}" + +CXXFLAGS += "-fno-strict-aliasing" +EXTRA_OECONF = "--disable-openssl --enable-static --sysconfdir=/etc/tripwire" + +do_install () { + install -d ${D}${libdir} ${D}${datadir} ${D}${base_libdir} + install -d ${D}${sysconfdir} ${D}${mandir} ${D}${sbindir} + install -d ${D}${sysconfdir}/${PN} + install -d ${D}${localstatedir}/lib/${PN} ${D}${localstatedir}/lib/${BPN}/report + install -d ${D}${mandir}/man4 ${D}${mandir}/man5 ${D}${mandir}/man8 + install -d ${D}${docdir}/${BPN} ${D}${docdir}/${BPN}/templates + install -d ${D}${sysconfdir}/init.d + + install -m 0755 ${S}/bin/* ${D}${sbindir} + install -m 0644 ${S}/lib/* ${D}${base_libdir} + install -m 0644 ${S}/lib/* ${D}${localstatedir}/lib/${PN} + install -m 0755 ${WORKDIR}/tripwire.cron ${D}${sysconfdir} + install -m 0755 ${WORKDIR}/tripwire.sh ${D}${sysconfdir}/init.d/tripwire + install -m 0755 ${WORKDIR}/twinstall.sh ${D}${sysconfdir}/${PN} + install -m 0644 ${WORKDIR}/twpol-yocto.txt ${D}${sysconfdir}/${PN}/twpol.txt + install -m 0644 ${WORKDIR}/twcfg.txt ${D}${sysconfdir}/${PN} + + install -m 0644 ${S}/man/man4/* ${D}${mandir}/man4 + install -m 0644 ${S}/man/man5/* ${D}${mandir}/man5 + install -m 0644 ${S}/man/man8/* ${D}${mandir}/man8 + install -m 0644 ${S}/policy/templates/* ${D}${docdir}/${BPN}/templates + install -m 0644 ${S}/policy/*txt ${D}${docdir}/${BPN} + install -m 0644 ${S}/COPYING ${D}${docdir}/${BPN} + install -m 0644 ${S}/TRADEMARK ${D}${docdir}/${BPN} + install -m 0644 ${WORKDIR}/tripwire.txt ${D}${docdir}/${BPN} +} + +do_install_ptest_append () { + install -d ${D}${PTEST_PATH}/tests + cp -a ${S}/src/test-harness/* ${D}${PTEST_PATH} + sed -i -e 's@../../../../bin@${sbindir}@' ${D}${PTEST_PATH}/twtools.pm +} + +FILES_${PN} += "${libdir} ${docdir}/${PN}/*" +FILES_${PN}-dbg += "${sysconfdir}/${PN}/.debug" +FILES_${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a" +FILES_${PN}-ptest += "${PTEST_PATH}/tests " + +RDEPENDS_${PN} += " perl nano msmtp cronie" +RDEPENDS_${PN}-ptest = " perl lib-perl perl-modules " |