summaryrefslogtreecommitdiffstats
path: root/security/tripwire/files
diff options
context:
space:
mode:
authorcy <cy@FreeBSD.org>2002-03-01 01:47:15 +0000
committercy <cy@FreeBSD.org>2002-03-01 01:47:15 +0000
commit21e3fe3d93ac33dfa8b8bc63c0f00cda49851ce7 (patch)
treeba9926509377bef194adcd57cb43223c91a0dbe7 /security/tripwire/files
parentdd08a15c645cf662d0ad603df1d415b3769043d3 (diff)
downloadFreeBSD-ports-21e3fe3d93ac33dfa8b8bc63c0f00cda49851ce7.zip
FreeBSD-ports-21e3fe3d93ac33dfa8b8bc63c0f00cda49851ce7.tar.gz
Update from 1.2 (academic source release) to 2.3.1-2 (open source Linux
release). In relation to Tripwire 1.x, 2.x is a complete rewrite. PR: ports/29137 Submitted by: nectar (first review), cjc (second review)
Diffstat (limited to 'security/tripwire/files')
-rw-r--r--security/tripwire/files/conf-freebsd2.h55
-rw-r--r--security/tripwire/files/patch-aa38
-rw-r--r--security/tripwire/files/patch-ab62
-rw-r--r--security/tripwire/files/patch-ac16
-rw-r--r--security/tripwire/files/patch-install::install.sh70
-rw-r--r--security/tripwire/files/patch-man::man4::twconfig.420
-rw-r--r--security/tripwire/files/patch-man::man4::twpolicy.418
-rw-r--r--security/tripwire/files/patch-mktemp239
-rw-r--r--security/tripwire/files/patch-src::Makefile35
-rw-r--r--security/tripwire/files/patch-src::core::msystem.h15
-rw-r--r--security/tripwire/files/patch-src::core::unix::file_unix.cpp45
-rw-r--r--security/tripwire/files/patch-src::core::unix::unixfsservices.cpp31
-rw-r--r--security/tripwire/files/patch-src::tripwire::mailmessage.cpp11
-rw-r--r--security/tripwire/files/patch-warnings33
-rw-r--r--security/tripwire/files/tw.conf.freebsd2154
-rw-r--r--security/tripwire/files/twcheck3
-rw-r--r--security/tripwire/files/twpol.m4655
-rw-r--r--security/tripwire/files/twpol.txt655
18 files changed, 1555 insertions, 600 deletions
diff --git a/security/tripwire/files/conf-freebsd2.h b/security/tripwire/files/conf-freebsd2.h
deleted file mode 100644
index d8f2942..0000000
--- a/security/tripwire/files/conf-freebsd2.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/* $FreeBSD$ */
-
-/*
- * conf-freebsd2.h
- *
- * Tripwire configuration file
- *
- * Joe Greco
- * sol.net Network Services
- * Derived from the other BSD config.h's
- */
-
-/***
- *** Operating System specifics
- ***
- *** If the answer to a question in the comment is "Yes", then
- *** change the corresponding "#undef" to a "#define"
- ***/
-
-/*
- * is your OS a System V derivitive? if so, what version?
- * (e.g., define SYSV 4)
- */
-
-#undef SYSV
-
-/*
- * does your system have a <malloc.h> like System V?
- */
-
-#undef MALLOCH
-
-/*
- * does your system have a <stdlib.h> like POSIX says you should?
- */
-
-#define STDLIBH
-
-/*
- * does your system use readdir(3) that returns (struct dirent *)?
- */
-
-#define DIRENT
-
-/*
- * is #include <string.h> ok? (as opposed to <strings.h>)
- */
-
-#define STRINGH
-
-/*
- * does your system have gethostname(2) (instead of uname(2))?
- */
-
-#define GETHOSTNAME
diff --git a/security/tripwire/files/patch-aa b/security/tripwire/files/patch-aa
deleted file mode 100644
index 81238bf..0000000
--- a/security/tripwire/files/patch-aa
+++ /dev/null
@@ -1,38 +0,0 @@
-*** include/config.h.orig Fri Jul 15 06:02:52 1994
---- include/config.h Sun Dec 31 18:56:20 1989
-***************
-*** 17,23 ****
- *** file that corresponds with your operating system.
- ***/
-
-! #include "../configs/conf-svr4.h"
-
- #ifdef TW_TYPE32
- typedef TW_TYPE32 int32;
---- 17,23 ----
- *** file that corresponds with your operating system.
- ***/
-
-! #include "../configs/conf-freebsd2.h"
-
- #ifdef TW_TYPE32
- typedef TW_TYPE32 int32;
-***************
-*** 103,110 ****
- #endif
- */
-
-! #define CONFIG_PATH "/tmp/genek"
-! #define DATABASE_PATH "/tmp/genek"
-
- /******* name of Tripwire files **************************************
- *
---- 103,110 ----
- #endif
- */
-
-! # define CONFIG_PATH "/var/adm/tcheck"
-! # define DATABASE_PATH "/var/adm/tcheck/databases"
-
- /******* name of Tripwire files **************************************
- *
diff --git a/security/tripwire/files/patch-ab b/security/tripwire/files/patch-ab
deleted file mode 100644
index 7dcf334..0000000
--- a/security/tripwire/files/patch-ab
+++ /dev/null
@@ -1,62 +0,0 @@
-*** Makefile Mon Jul 25 10:59:41 1994
---- Makefile Thu Jan 2 12:04:35 1997
-***************
-*** 34,36 ****
- # you can use ANSI C if you like, but K&R is equally fine.
-! CC = cc # common
- #CC = gcc # also common
---- 34,36 ----
- # you can use ANSI C if you like, but K&R is equally fine.
-! #CC = cc # common
- #CC = gcc # also common
-***************
-*** 38,40 ****
-
-! CFLAGS = -O # common
- #CFLAGS = -g # common
---- 38,40 ----
-
-! #CFLAGS = -O # common
- #CFLAGS = -g # common
-***************
-*** 60,66 ****
- #CPP = /lib/cpp # on older systems
-
- # make sure libraries are not linked dynamically (as a security measure)
-! LDFLAGS= # common
- #LDFLAGS= -non_shared # OSF/1
- #LDFLAGS= -Bstatic # SunOS 4 (cannot statically link tripwire
- # on Solaris 2.3)
---- 60,67 ----
- #CPP = /lib/cpp # on older systems
-
- # make sure libraries are not linked dynamically (as a security measure)
-! LDFLAGS= -static
-! #LDFLAGS= # common
- #LDFLAGS= -non_shared # OSF/1
- #LDFLAGS= -Bstatic # SunOS 4 (cannot statically link tripwire
- # on Solaris 2.3)
-
-
---- src/Makefile.orig Mon Jul 25 10:40:54 1994
-+++ src/Makefile Sun May 28 15:52:25 2000
-@@ -3,7 +3,7 @@
- # Tripwire build
- #
-
--CFLAGS = -O
-+#CFLAGS = -O
-
- OFILES = config.parse.o main.o list.o ignorevec.o dbase.build.o \
- utils.o preen.o preen.interp.o preen.report.o \
-@@ -103,8 +103,9 @@
- .c.o:
- $(CC) $(CFLAGS) -c $<
-
--install: tripwire
-+install: tripwire siggen
- $(INSTALL) tripwire $(DESTDIR)
-+ $(INSTALL) siggen $(DESTDIR)
-
- clean:
- -rm -f $(OFILES) config.lex.c config.pre.c y.tab.c lex.yy.c help.c \
diff --git a/security/tripwire/files/patch-ac b/security/tripwire/files/patch-ac
deleted file mode 100644
index bad0901..0000000
--- a/security/tripwire/files/patch-ac
+++ /dev/null
@@ -1,16 +0,0 @@
-This patch eliminates a compiler warning about LITTLE_ENDIAN begin
-redefined.
-
-*** sigs/sha/sha.c.orig Mon Jul 25 08:46:45 1994
---- sigs/sha/sha.c Mon Mar 31 19:55:23 1997
-***************
-*** 47,52 ****
---- 47,54 ----
- #include "sha.h"
-
- #if BYTEORDER == 0x1234
-+ #undef BIG_ENDIAN
-+ #undef LITTLE_ENDIAN
- #define LITTLE_ENDIAN
- #endif
-
diff --git a/security/tripwire/files/patch-install::install.sh b/security/tripwire/files/patch-install::install.sh
new file mode 100644
index 0000000..6e7ecf0
--- /dev/null
+++ b/security/tripwire/files/patch-install::install.sh
@@ -0,0 +1,70 @@
+--- install/install.sh.orig Fri Oct 27 17:26:26 2000
++++ install/install.sh Fri Feb 22 07:34:55 2002
+@@ -3,7 +3,7 @@
+ #########################################################
+ #########################################################
+ ##
+-## Tripwire(R) 2.3 Open Source for LINUX install script
++## Tripwire(R) 2.3 Open Source for FreeBSD install script
+ ##
+ #########################################################
+ #########################################################
+@@ -252,12 +252,14 @@
+ unamVER=`uname -v -r`
+ if ((echo "$unamOS" | $GREP -i "Linux" > /dev/null) ||
+ (echo "$unamOS" | $GREP -i "HP-UX" > /dev/null) ||
++ (echo "$unamOS" | $GREP -i "FreeBSD" > /dev/null) ||
+ (echo "$unamOS" | $GREP -i "AIX" > /dev/null)); then
+ unamHW=`uname -m`
+ else
+ unamHW=`uname -p`
+ fi
+- if (echo "$unamOS" | $GREP -i "Linux" > /dev/null); then
++ if (echo "$unamOS" | $GREP -i "Linux" > /dev/null) ||
++ (echo "$unamOS" | $GREP -i "FreeBSD" > /dev/null); then
+ osokay=1
+ fi
+ if [ "$osokay" -eq 0 ] ; then
+@@ -488,7 +490,11 @@
+ BASE_DIR=`echo $0 | sed s/$BASE_DIR\$//`
+ if [ ! -z "$BASE_DIR" ] ; then
+ TAR_DIR="${BASE_DIR}"
+- BIN_DIR="${BASE_DIR}bin/i686-pc-linux_r"
++ if (echo "$unamOS" | $GREP -i "FreeBSD" > /dev/null); then
++ BIN_DIR="${BASE_DIR}bin/${unamHW}-unknown-freebsd_r"
++ else
++ BIN_DIR="${BASE_DIR}bin/i686-pc-linux_r"
++ fi
+ else
+ TAR_DIR="${BASE_DIR}"
+ fi
+@@ -621,15 +627,22 @@
+ f1=' ff=$README ; d="" ; dd=$TWDOCS ; rr=0444 '
+ f2=' ff=$REL_NOTES ; d="" ; dd=$TWDOCS ; rr=0444 '
+ f3=' ff=$TWLICENSEFILE ; d="" ; dd=$TWDOCS ; rr=0444 '
+-f4=' ff=tripwire ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 '
+-f5=' ff=twadmin ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 '
+-f6=' ff=twprint ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 '
+-f7=' ff=siggen ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 '
++if (echo "$unamOS" | $GREP -i "Linux" > /dev/null); then
++ f4=' ff=tripwire ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 '
++ f5=' ff=twadmin ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 '
++ f6=' ff=twprint ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 '
++ f7=' ff=siggen ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 '
++elif (echo "$unamOS" | $GREP -i "FreeBSD" > /dev/null); then
++ f4=' ff=tripwire ; d="/bin/${unamHW}-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 '
++ f5=' ff=twadmin ; d="/bin/${unamHW}-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 '
++ f6=' ff=twprint ; d="/bin/${unamHW}-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 '
++ f7=' ff=siggen ; d="/bin/${unamHW}-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 '
++fi
+ f8=' ff=TRADEMARK ; d="" ; dd=$TWDOCS ; rr=0444 '
+-f9=' ff=policyguide.txt ; d="" ; dd=$TWDOCS ; rr=0444 '
++f9=' ff=policyguide.txt ; d="/policy/" ; dd=$TWDOCS ; rr=0444 '
+ f10=' ff=twpol.txt ; d="/policy/" ; dd=$TWPOLICY ; rr=0640 '
+-f11=' ff=twpolicy.4 ; d="/man/man4" ; dd=$TWMAN/man4 ; rr=0444 '
+-f12=' ff=twconfig.4 ; d="/man/man4" ; dd=$TWMAN/man4 ; rr=0444 '
++f11=' ff=twpolicy.5 ; d="/man/man5" ; dd=$TWMAN/man5 ; rr=0444 '
++f12=' ff=twconfig.5 ; d="/man/man5" ; dd=$TWMAN/man5 ; rr=0444 '
+ f13=' ff=twfiles.5 ; d="/man/man5" ; dd=$TWMAN/man5 ; rr=0444 '
+ f14=' ff=siggen.8 ; d="/man/man8" ; dd=$TWMAN/man8 ; rr=0444 '
+ f15=' ff=tripwire.8 ; d="/man/man8" ; dd=$TWMAN/man8 ; rr=0444 '
diff --git a/security/tripwire/files/patch-man::man4::twconfig.4 b/security/tripwire/files/patch-man::man4::twconfig.4
new file mode 100644
index 0000000..409f519
--- /dev/null
+++ b/security/tripwire/files/patch-man::man4::twconfig.4
@@ -0,0 +1,20 @@
+--- man/man4/twconfig.4.orig Sat Mar 3 16:28:39 2001
++++ man/man4/twconfig.4 Sat Feb 23 13:49:52 2002
+@@ -35,7 +35,7 @@
+ ..
+ .nh
+ .ad l
+-.TH TWCONFIG 4 "1 July 2000"
++.TH TWCONFIG 5 "1 July 2000"
+ .SH NAME
+ twconfig \- \fITripwire\fP configuration file reference
+ .SH DESCRIPTION
+@@ -293,7 +293,7 @@
+ .BR twadmin (8),
+ .BR twprint (8),
+ .BR siggen (8),
+-.BR twpolicy (4),
++.BR twpolicy (5),
+ .BR twfiles (5),
+ .BR sendmail (1),
+ .BR vi (1),
diff --git a/security/tripwire/files/patch-man::man4::twpolicy.4 b/security/tripwire/files/patch-man::man4::twpolicy.4
new file mode 100644
index 0000000..0d6ab39
--- /dev/null
+++ b/security/tripwire/files/patch-man::man4::twpolicy.4
@@ -0,0 +1,18 @@
+--- man/man4/twpolicy.4.orig Sat Mar 3 16:28:30 2001
++++ man/man4/twpolicy.4 Sat Feb 23 13:50:10 2002
+@@ -36,7 +36,7 @@
+ .\"
+ .nh
+ .ad l
+-.TH TWPOLICY 4 "1 July 2000"
++.TH TWPOLICY 5 "1 July 2000"
+ .SH NAME
+ twpolicy \- \fITripwire\fP policy file reference
+ .SH DESCRIPTION
+@@ -544,5 +544,5 @@
+ .BR twadmin (8),
+ .BR twprint (8),
+ .BR siggen (8),
+-.BR twconfig (4),
++.BR twconfig (5),
+ .BR twfiles (5)
diff --git a/security/tripwire/files/patch-mktemp b/security/tripwire/files/patch-mktemp
deleted file mode 100644
index 3e871d4..0000000
--- a/security/tripwire/files/patch-mktemp
+++ /dev/null
@@ -1,239 +0,0 @@
-This patches replace all uses of the (potentially insecure) mktemp(3)
-with a much safer tmpfile(3).
-
---- src/config.parse.c Wed Jul 20 21:03:26 1994
-+++ src/config.parse.c Wed May 17 17:30:22 2000
-@@ -55,7 +55,6 @@
- #endif
-
- /* prototypes */
--char *mktemp();
- static void configfile_descend();
-
- #ifndef L_tmpnam
-@@ -86,7 +85,6 @@
- char ignorestring[1024];
- char s[MAXPATHLEN+1024];
- char configfile[MAXPATHLEN+512];
-- char *tmpfilename;
- char number[128];
- int entrynum = 0;
- int err;
-@@ -98,18 +96,6 @@
- if (!printpreprocess && !quietmode)
- fputs("### Phase 1: Reading configuration file\n", stderr);
-
-- /* generate temporary file name */
-- if ((tmpfilename = (char *) malloc(L_tmpnam + MAXPATHLEN)) == NULL) {
-- perror("configfile_read: malloc()");
-- exit(1);
-- };
-- (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE);
--
-- if ((char *) mktemp(tmpfilename) == NULL) {
-- perror("configfile_read: mktemp()");
-- exit(1);
-- }
--
- /* generate configuration file name */
- if (specified_configmode != SPECIFIED_FILE)
- sprintf(configfile, "%s/%s", config_path, config_file);
-@@ -149,25 +135,17 @@
-
- err = umask(077); /* to protect the tempfile */
-
-- if ((fpout = fopen(tmpfilename, "w+")) == NULL) {
-- sprintf(s, "tripwire: Couldn't open config file '%s'", configfile);
-- perror(s);
-- exit(1);
-- }
-- (void) umask(err); /* return it to its former state */
--
-- /* The following unlink accomplishes two things:
-+ /* The use of tmpfile(3) accomplishes two things:
- * 1) if the program terminates, we won't leave a temp
- * file sitting around with potentially sensitive names
- * in it.
- * 2) the file is "hidden" while we run
- */
-- if (unlink(tmpfilename) < 0) {
-- perror("configfile_read: unlink()");
-+ if ((fpout = tmpfile()) == NULL) {
-+ perror("tmpfile");
- exit(1);
- }
-- free(tmpfilename);
--
-+ (void) umask(err); /* return it to its former state */
-
- /*
- * pass 0: preprocess file
---- src/dbase.build.c Mon Jul 25 11:24:09 1994
-+++ src/dbase.build.c Wed May 17 18:22:14 2000
-@@ -66,7 +66,6 @@
- int files_scanned_num = 0;
-
- /* prototypes */
--char *mktemp();
- static void database_record_write();
-
- char backupfile[MAXPATHLEN+256];
-@@ -125,17 +124,7 @@
-
- /* where do we write the new database? */
- if (mode == DBASE_TEMPORARY) {
-- char *tmpfilename = (char *) malloc(strlen(TEMPFILE_TEMPLATE)+1);
-- if (tmpfilename == NULL)
-- die_with_err("malloc() failed in database_build", (char *) NULL);
-- (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE);
--
-- if ((char *) mktemp(tmpfilename) == NULL)
-- die_with_err("database_build: mktemp()", (char *) NULL);
--
-- (void) strcpy(tempdatabase_file, tmpfilename);
-- (void) strcpy(database, tempdatabase_file);
-- free(tmpfilename);
-+ /* do nothing */
- } /* end if temporary database */
- else if (mode == DBASE_UPDATE) {
- sprintf(database, "./databases/%s", database_file);
-@@ -224,6 +213,12 @@
- }
-
- /* rebuild the database */
-+ if (mode == DBASE_TEMPORARY) {
-+ fpw = tmpfile();
-+ if (fpw == NULL)
-+ die_with_err("call tmpfile(3) failed. Check your TMPDIR setting",
-+ NULL);
-+ } else
- if ((fpw = fopen(database, "w")) == NULL)
- die_with_err("Hint: Maybe the database directory '%s' doesn't exist? fopen()", database);
-
-@@ -369,6 +364,6 @@
-
-- /* we don't want to allow anyone to spoof the temporary file in /tmp */
-+ /* if the database was temporary, the file was opened by tmpfile(3) --
-+ as such, it can not be accessed by anything but this process */
- if (mode == DBASE_TEMPORARY) {
-- if ((fptempdbase = freopen(database, "r", fpw)) == NULL)
-- die_with_err("temporary database file disappeared?!?", database);
-+ fptempdbase = fpw;
- rewind(fptempdbase);
---- src/main.c Fri Aug 26 04:23:03 1994
-+++ src/main.c Wed May 17 18:01:00 2000
-@@ -108,7 +108,6 @@
- char *database_path = DATABASE_PATH;
- char *config_path = CONFIG_PATH;
-
--char tempdatabase_file[MAXPATHLEN+256];
- FILE *fptempdbase;
-
- char *defaultignore = DEFAULTIGNORE;
---- src/preen.c Mon Jul 25 11:24:11 1994
-+++ src/preen.c Wed May 17 18:22:22 2000
-@@ -37,7 +37,6 @@
- static int numentriesread = 0; /* running count of @@contents */
-
- /* prototypes */
--char *mktemp();
- static void olddbasefile_load();
-
- char *updatemodes[] = {
-@@ -97,9 +96,6 @@
- preen_report(interactive, ppp_updateentries);
- if (!specified_configmode)
- (void) fclose(fp_in);
--
-- /* remove the temporary database file */
-- (void) unlink(tempdatabase_file);
-
- SPDEBUG(3) printf("*** leaving update_gather()\n");
-
---- src/siggen.c Mon Jul 25 11:24:12 1994
-+++ src/siggen.c Wed May 17 18:36:51 2000
-@@ -52,7 +52,6 @@
-
- extern int optind;
- int debuglevel = 0;
--char *mktemp();
-
- int (*pf_signatures [NUM_SIGS]) () = {
- SIG0FUNC,
-@@ -84,7 +83,6 @@
- };
- int verbosity = 0;
- int quietmode = 0;
--char *tmpfilename = NULL;
- int readstdin = 0;
-
-
-@@ -167,19 +167,6 @@
- FILE *fpout;
-- /* generate temporary file name */
-- if ((tmpfilename = (char *) malloc(L_tmpnam + MAXPATHLEN)) == NULL) {
-- perror("main: malloc()");
-- exit(1);
-- };
-- (void) strcpy(tmpfilename, "/tmp/twzXXXXXX");
--
-- if ((char *) mktemp(tmpfilename) == NULL) {
-- perror("siggen: mktemp()");
-- exit(1);
-- }
-
- /* output */
-- if (!(fpout = fopen(tmpfilename, "w"))) {
-- char err[1024];
-- sprintf(err, "main: fopen(%s)", tmpfilename);
-- perror(err);
-+ if (!(fpout = tmpfile())) {
-+ perror("tmpfile()");
- exit(1);
-@@ -189,12 +176,6 @@
- putc(c, fpout);
-- fclose(fpout);
-- if ((fd = open(tmpfilename, O_RDONLY)) < 0) {
-- perror("siggen: open");
-- exit(1);
-- }
-- if (siggen(fd) < 0)
-+ rewind(fpout);
-+ if (siggen(fileno(fpout)) < 0)
- errors++;
-
-- if (fd)
-- close(fd);
-+ close(fd);
-- unlink(tmpfilename);
---- src/utils.c Mon Jul 25 12:23:16 1994
-+++ src/utils.c Wed May 17 18:21:38 2000
-@@ -785,23 +785,15 @@
- int
- fd_tempfilename_generate()
- {
-- char tmp[MAXPATHLEN+256];
-- int fd;
-+ FILE *tmp;
-
-- (void) strcpy(tmp, TEMPFILE_TEMPLATE);
-- if ((char *) mktemp(tmp) == NULL) {
-- perror("tempfilename_generate: mktemp()");
-+ tmp = tmpfile();
-+ if (tmp == NULL) {
-+ perror("tempfilename_generate: tmpfile()");
- exit(1);
- }
-
-- if ((fd = open(tmp, O_RDWR | O_CREAT, 0600)) < 0) {
-- perror("tempfilename_generate: open()");
-- exit(1);
-- }
-- /* unlink right away to make sure no one can tamper with our file */
-- unlink(tmp);
--
-- return fd;
-+ return fileno(tmp);
- }
-
- /*
diff --git a/security/tripwire/files/patch-src::Makefile b/security/tripwire/files/patch-src::Makefile
new file mode 100644
index 0000000..d49c507
--- /dev/null
+++ b/security/tripwire/files/patch-src::Makefile
@@ -0,0 +1,35 @@
+--- src/Makefile.orig Sat Mar 3 20:03:52 2001
++++ src/Makefile Fri Feb 22 07:48:44 2002
+@@ -5,15 +5,16 @@
+ #
+ # This makefile handles different platforms targets through the use of the
+ # makefile variable "SYSPRE". To configure the make process for your specific
+-# platform edit the SYSPRE variable in the Configuration section below to match your
+-# setup.
++# platform edit the SYSPRE variable in the Configuration section below to match
++# your setup.
+ #
+ # During the build process this makefile recursively calls gmake using this
+ # file (Makefile) or one of the subdirectory makefiles (e.g. core/core.mak)
+ # as the makefile. When it does this it passes the SYSPRE definition along
+ # by using the directive "SYSPRE=$(SYSPRE)".
+ #
+-# Comments that start with '#=' are echoed to the screen by the default target, help.
++# Comments that start with '#=' are echoed to the screen by the default target,
++# help.
+ #= *** Build Commands
+ #=
+ #= Please note that all Tripwire makefiles require GNU make (gmake) to build!
+@@ -77,9 +78,11 @@
+ #
+ # i686-pc-linux == Linux Intel x86
+ # sparc-linux == Linux Sparc (not fully implemented)
++# i386-unknown-freebsd == FreeBSD Intel x86
++# alpha-unknown-freebsd == FreeBSD Compaq Alpha
+ #
+
+-SYSPRE = i686-pc-linux
++#SYSPRE = i686-pc-linux
+ #SYSPRE = sparc-linux
+ #SYSPRE = i386-unknown-freebsd
+ #SYSPRE = i386-unknown-openbsd
diff --git a/security/tripwire/files/patch-src::core::msystem.h b/security/tripwire/files/patch-src::core::msystem.h
new file mode 100644
index 0000000..1bb9e29
--- /dev/null
+++ b/security/tripwire/files/patch-src::core::msystem.h
@@ -0,0 +1,15 @@
+--- src/core/msystem.h.orig Fri Oct 27 18:15:20 2000
++++ src/core/msystem.h Fri Feb 22 13:53:33 2002
+@@ -114,7 +114,11 @@
+ # define GID_RESET -2 /* reset EGID to RGID */
+ #endif
+ #ifndef DEF_PATH
+-# define DEF_PATH "PATH=/bin:/usr/bin:/usr/ucb" /* default search path */
++#ifdef __FreeBSD_cc_version
++# define DEF_PATH "PATH=/sbin:/usr/sbin:/bin:/usr/bin" /* default search path */
++#else
++# define DEF_PATH "PATH=/bin:/usr/bin:/usr/ucb" /* default search path */
++#endif
+ #endif
+ #ifndef DEF_SHELL
+ # define DEF_SHELL "SHELL=/bin/sh" /* default shell */
diff --git a/security/tripwire/files/patch-src::core::unix::file_unix.cpp b/security/tripwire/files/patch-src::core::unix::file_unix.cpp
new file mode 100644
index 0000000..d43cca7
--- /dev/null
+++ b/security/tripwire/files/patch-src::core::unix::file_unix.cpp
@@ -0,0 +1,45 @@
+--- src/core/unix/file_unix.cpp Sat Oct 28 04:15:21 2000
++++ src/core/unix/file_unix.cpp Wed Jun 13 09:29:07 2001
+@@ -155,10 +155,15 @@
+ if( flags & OPEN_CREATE )
+ perm |= O_CREAT;
+
++ mode_t openmode = 0664;
++ if ( flags & OPEN_EXCLUSIVE ) {
++ perm |= O_CREAT | O_EXCL;
++ openmode = (mode_t) 0600; // Make sure only root can read the file
++ }
+ //
+ // actually open the file
+ //
+- int fh = _topen( sFileName.c_str(), perm, 0664 );
++ int fh = _topen( sFileName.c_str(), perm, openmode );
+ if( fh == -1 )
+ {
+ throw( eFileOpen( sFileName, iFSServices::GetInstance()->GetErrString() ) );
+--- src/core/file.h Sat Oct 28 04:15:20 2000
++++ src/core/file.h Wed Jun 13 09:07:20 2001
+@@ -96,7 +96,8 @@
+ OPEN_LOCKED_TEMP = 0x00000004, // the file should not be readable by other processes and should be removed when closed
+ OPEN_TRUNCATE = 0x00000008, // opens an empty file. creates it if it doesn't exist. Doesn't make much sense without OF_WRITE
+ OPEN_CREATE = 0x00000010, // create the file if it doesn't exist; this is implicit if OF_TRUNCATE is set
+- OPEN_TEXT = 0x00000020
++ OPEN_TEXT = 0x00000020,
++ OPEN_EXCLUSIVE = 0x0000040 // Use O_CREAT | O_EXCL
+ };
+
+ //Ctor, Dtor, CpyCtor, Operator=:
+--- src/core/archive.cpp Sat Feb 24 21:02:12 2001
++++ src/core/archive.cpp Wed Jun 13 09:15:25 2001
+@@ -896,8 +896,9 @@
+ // create file
+
+ // set up flags
+- uint32 flags = cFile::OPEN_WRITE | cFile::OPEN_LOCKED_TEMP | cFile::OPEN_CREATE;
+- if ( openFlags & FA_OPEN_TRUNCATE )
++ uint32 flags = cFile::OPEN_WRITE | cFile::OPEN_LOCKED_TEMP | cFile::OPEN_CREATE | cFile::OPEN_EXCLUSIVE;
++
++ if ( openFlags & FA_OPEN_TRUNCATE )
+ flags |= cFile::OPEN_TRUNCATE;
+ if ( openFlags & FA_OPEN_TEXT )
+ flags |= cFile::OPEN_TEXT;
diff --git a/security/tripwire/files/patch-src::core::unix::unixfsservices.cpp b/security/tripwire/files/patch-src::core::unix::unixfsservices.cpp
new file mode 100644
index 0000000..14919a9
--- /dev/null
+++ b/security/tripwire/files/patch-src::core::unix::unixfsservices.cpp
@@ -0,0 +1,31 @@
+--- src/core/unix/unixfsservices.cpp.orig Sat Feb 24 11:02:12 2001
++++ src/core/unix/unixfsservices.cpp Tue Jul 10 21:40:37 2001
+@@ -243,6 +243,7 @@
+ {
+ char* pchTempFileName;
+ char szTemplate[MAXPATHLEN];
++ int fd;
+
+ #ifdef _UNICODE
+ // convert template from wide character to multi-byte string
+@@ -253,13 +254,14 @@
+ strcpy( szTemplate, strName.c_str() );
+ #endif
+
+- // create temp filename
+- pchTempFileName = mktemp( szTemplate );
++ // create temp filename and check to see if mkstemp failed
++ if ((fd = mkstemp( szTemplate )) == -1) {
++ throw eFSServicesGeneric( strName );
++ } else {
++ close(fd);
++ }
++ pchTempFileName = szTemplate;
+
+- //check to see if mktemp failed
+- if ( pchTempFileName == NULL || strlen(pchTempFileName) == 0) {
+- throw eFSServicesGeneric( strName );
+- }
+
+ // change name so that it has the XXXXXX part filled in
+ #ifdef _UNICODE
diff --git a/security/tripwire/files/patch-src::tripwire::mailmessage.cpp b/security/tripwire/files/patch-src::tripwire::mailmessage.cpp
new file mode 100644
index 0000000..f5566a0
--- /dev/null
+++ b/security/tripwire/files/patch-src::tripwire::mailmessage.cpp
@@ -0,0 +1,11 @@
+--- src/tripwire/mailmessage.cpp.orig Thu Jul 5 05:16:34 2001
++++ src/tripwire/mailmessage.cpp Thu Jul 5 05:16:47 2001
+@@ -241,7 +241,7 @@
+ time_t current_time = time(NULL);
+ tm = localtime ( &current_time );
+
+- const TCHAR* szFormat = _T("%a %d %b %Y %H:%M:%S %z");
++ const TCHAR* szFormat = _T("%a, %d %b %Y %H:%M:%S %z");
+
+ size_t numChars = _tcsftime( szDate, countof( szDate ), szFormat, tm );
+
diff --git a/security/tripwire/files/patch-warnings b/security/tripwire/files/patch-warnings
deleted file mode 100644
index ddd14ef..0000000
--- a/security/tripwire/files/patch-warnings
+++ /dev/null
@@ -1,33 +0,0 @@
-This patches remove some of the warnings produced by the compiler.
-
---- src/siggen.c Mon Jul 25 11:24:12 1994
-+++ src/siggen.c Wed May 17 19:15:29 2000
-@@ -15,2 +15,3 @@
- #include "../include/config.h"
-+#include <unistd.h>
- #include <stdio.h>
-@@ -104,4 +104,6 @@
-+
-+/* forward declaration, to avoid compiler warnings */
-+int siggen(int);
-
- int
- main(argc, argv)
---- aux/byteorder.c Fri Jul 15 07:02:36 1994
-+++ aux/byteorder.c Wed May 17 19:12:42 2000
-@@ -22,3 +22,3 @@
-
--void
-+int
- main()
-@@ -34,2 +34,3 @@
-
-+#warning "the shift-width warning below can be ignored"
- if (sizeof(int32) > 4)
---- aux/types.c Sun Dec 12 23:02:27 1993
-+++ aux/types.c Wed May 17 19:23:21 2000
-@@ -24,3 +24,3 @@
-
--void
-+int
- main(argc, argv)
diff --git a/security/tripwire/files/tw.conf.freebsd2 b/security/tripwire/files/tw.conf.freebsd2
deleted file mode 100644
index c195f38..0000000
--- a/security/tripwire/files/tw.conf.freebsd2
+++ /dev/null
@@ -1,154 +0,0 @@
-# $FreeBSD$
-#
-# tripwire.config
-# Generic version for FreeBSD
-# Will need editing...see comments below
-#
-# This file contains a list of files and directories that System
-# Preener will scan. Information collected from these files will be
-# stored in the tripwire.database file.
-#
-# Format: [!|=] entry [ignore-flags]
-#
-# where: '!' signifies the entry is to be pruned (inclusive) from
-# the list of files to be scanned.
-# '=' signifies the entry is to be added, but if it is
-# a directory, then all its contents are pruned
-# (useful for /tmp).
-#
-# where: entry is the absolute pathname of a file or a directory
-#
-# where ignore-flags are in the format:
-# [template][ [+|-][pinugsam12] ... ]
-#
-# - : ignore the following atributes
-# + : do not ignore the following attributes
-#
-# p : permission and file mode bits a: access timestamp
-# i : inode number m: modification timestamp
-# n : number of links (ref count) c: inode creation timestamp
-# u : user id of owner 1: signature 1
-# g : group id of owner 2: signature 2
-# s : size of file
-#
-#
-# Ex: The following entry will scan all the files in /etc, and report
-# any changes in mode bits, inode number, reference count, uid,
-# gid, modification and creation timestamp, and the signatures.
-# However, it will ignore any changes in the access timestamp.
-#
-# /etc +pinugsm12-a
-#
-# The following templates have been pre-defined to make these long ignore
-# mask descriptions unecessary.
-#
-# Templates: (default) R : [R]ead-only (+pinugsm12-a)
-# L : [L]og file (+pinug-sam12)
-# N : ignore [N]othing (+pinusgsamc12)
-# E : ignore [E]verything (-pinusgsamc12)
-#
-# By default, Tripwire uses the R template -- it ignores
-# only the access timestamp.
-#
-# You can use templates with modifiers, like:
-# Ex: /etc/lp E+ug
-#
-# Example configuration file:
-# /etc R # all system files
-# !/etc/lp R # ...but not those logs
-# =/tmp N # just the directory, not its files
-#
-# Note the difference between pruning (via "!") and ignoring everything
-# (via "E" template): Ignoring everything in a directory still monitors
-# for added and deleted files. Pruning a directory will prevent Tripwire
-# from even looking in the specified directory.
-#
-#
-# Tripwire running slowly? Modify your tripwire.config entries to
-# ignore the (signature 2) attribute when this computationally-exorbitant
-# protection is not needed. (See README and design document for further
-# details.)
-#
-
-# First, root's traditional "home". Note that FreeBSD's root's home (/root)
-# is protected by R-2 protections in the default config file.
-=/ L
-/.rhosts R # may not exist
-/.profile R # may not exist
-/.cshrc R # may not exist
-/.login R # may not exist
-/.exrc R # may not exist
-/.logout R # may not exist
-/.forward R # may not exist
-
-# Unix itself
-/kernel R
-
-# /bin
-/bin R-2
-
-# /dev
-/dev L
-
-# /etc
-/etc R-2
-/etc/aliases L
-/etc/dumpdates L
-/etc/motd L
-
-# my passwd database should be static at time of system build. yours may
-# not be, if not, uncomment the lines below.
-
-# /etc/passwd L
-# /etc/master.passwd L
-# /etc/pwd.db L
-# /etc/spwd.db L
-
-# /home
-=/home
-
-# /lkm and /modules
-/lkm R-2
-/modules R-2
-
-# /boot
-/boot R-2
-
-# /root
-/root R-2
-/root/.history L
-
-# /sbin
-/sbin R-2
-
-# /stand
-/stand R-2
-
-# /usr/bin
-/usr/bin R-2
-
-/usr/include R-12
-
-/usr/lib R-2
-
-/usr/libdata R-2
-
-/usr/libexec R-2
-
-/usr/local/bin R-2
-
-/usr/local/etc L
-
-/usr/local/lib R-2
-
-/usr/local/libexec R-2
-
-/usr/local/sbin R-2
-
-/usr/local/share R-2
-
-/usr/sbin R-2
-
-/usr/share R-2
-
-###########################################
diff --git a/security/tripwire/files/twcheck b/security/tripwire/files/twcheck
deleted file mode 100644
index a4dffd2..0000000
--- a/security/tripwire/files/twcheck
+++ /dev/null
@@ -1,3 +0,0 @@
-#! /bin/sh -
-
-./gunzip < tw.db_`hostname`.gz | ./tripwire -dfd 0 -c tw.config
diff --git a/security/tripwire/files/twpol.m4 b/security/tripwire/files/twpol.m4
new file mode 100644
index 0000000..ec60af2
--- /dev/null
+++ b/security/tripwire/files/twpol.m4
@@ -0,0 +1,655 @@
+#
+# Policy file for FreeBSD
+#
+$FreeBSD$
+
+
+#
+# This is the example Tripwire Policy file. It is intended as a place to
+# start creating your own custom Tripwire Policy file. Referring to it as
+# well as the Tripwire Policy Guide should give you enough information to
+# make a good custom Tripwire Policy file that better covers your
+# configuration and security needs. A text version of this policy file is
+# called twpol.txt.
+#
+# Note that this file is tuned to an install of FreeBSD using
+# buildworld. If run unmodified, this file should create no errors on
+# database creation, or violations on a subsiquent integrity check.
+# However it is impossible for there to be one policy file for all machines,
+# so this existing one errs on the side of security. Your FreeBSD
+# configuration will most likey differ from the one our policy file was
+# tuned to, and will therefore require some editing of the default
+# Tripwire Policy file.
+#
+# The example policy file is best run with 'Loose Directory Checking'
+# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration
+# file.
+#
+# Email support is not included and must be added to this file.
+# Add the 'emailto=' to the rule directive section of each rule (add a comma
+# after the 'severity=' line and add an 'emailto=' and include the email
+# addresses you want the violation reports to go to). Addresses are
+# semi-colon delimited.
+#
+
+
+
+#
+# Global Variable Definitions
+#
+# These are defined at install time by the installation script. You may
+# Manually edit these if you are using this file directly and not from the
+# installation script itself.
+#
+
+@@section GLOBAL
+TWROOT=;
+TWBIN=;
+TWPOL=;
+TWDB=;
+TWSKEY=;
+TWLKEY=;
+TWREPORT=;
+HOSTNAME=;
+
+@@section FS
+SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
+SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
+SEC_BIN = $(ReadOnly) ; # Binaries that should not change
+SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
+SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login
+SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
+SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
+SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
+SIG_MED = 66 ; # Non-critical files that are of significant security impact
+SIG_HI = 100 ; # Critical files that are significant points of vulnerability
+
+
+# Tripwire Binaries
+(
+ rulename = "Tripwire Binaries",
+ severity = $(SIG_HI)
+)
+{
+ $(TWBIN)/siggen -> $(SEC_BIN) ;
+ $(TWBIN)/tripwire -> $(SEC_BIN) ;
+ $(TWBIN)/twadmin -> $(SEC_BIN) ;
+ $(TWBIN)/twprint -> $(SEC_BIN) ;
+}
+
+# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
+(
+ rulename = "Tripwire Data Files",
+ severity = $(SIG_HI)
+)
+{
+ # NOTE: We remove the inode attribute because when Tripwire creates a backup,
+ # it does so by renaming the old file and creating a new one (which will
+ # have a new inode number). Inode is left turned on for keys, which shouldn't
+ # ever change.
+
+ # NOTE: The first integrity check triggers this rule and each integrity check
+ # afterward triggers this rule until a database update is run, since the
+ # database file does not exist before that point.
+
+ $(TWDB) -> $(SEC_CONFIG) -i ;
+ $(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
+ $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
+ $(TWPOL)/twcfg.txt -> $(SEC_BIN) ;
+ $(TWPOL)/twpol.txt -> $(SEC_BIN) ;
+ $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
+ $(TWSKEY)/site.key -> $(SEC_BIN) ;
+
+ #don't scan the individual reports
+ $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
+}
+
+
+# Tripwire HQ Connector Binaries
+#(
+# rulename = "Tripwire HQ Connector Binaries",
+# severity = $(SIG_HI)
+#)
+#{
+# $(TWBIN)/hqagent -> $(SEC_BIN) ;
+#}
+#
+# Tripwire HQ Connector - Configuration Files, Keys, and Logs
+
+#
+# Note: File locations here are different than in a stock HQ Connector
+# installation. This is because Tripwire 2.3 uses a different path
+# structure than Tripwire 2.2.1.
+#
+# You may need to update your HQ Agent configuation file (or this policy
+# file) to correct the paths. We have attempted to support the FHS standard
+# here by placing the HQ Agent files similarly to the way Tripwire 2.3
+# places them.
+#
+
+#(
+# rulename = "Tripwire HQ Connector Data Files",
+# severity = $(SIG_HI)
+#)
+#{
+#
+# # NOTE: Removing the inode attribute because when Tripwire creates a backup
+# # it does so by renaming the old file and creating a new one (which will
+# # have a new inode number). Leaving inode turned on for keys, which
+# # shouldn't ever change.
+#
+#
+# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ;
+# $(TWLKEY)/authentication.key -> $(SEC_BIN) ;
+# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ;
+# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ;
+#
+# # Uncomment if you have agent logging enabled.
+# #/var/log/tripwire/agent.log -> $(SEC_LOG) ;
+#}
+
+
+
+# Commonly accessed directories that should remain static with regards to owner and group
+(
+ rulename = "Invariant Directories",
+ severity = $(SIG_MED)
+)
+{
+ / -> $(SEC_INVARIANT) (recurse = false) ;
+ /home -> $(SEC_INVARIANT) (recurse = false) ;
+}
+
+#
+# First, root's "home"
+#
+
+(
+ rulename = "Root's home",
+ severity = $(SIG_HI)
+)
+{
+ # /.rhosts -> $(SEC_CRIT) ;
+ /.profile -> $(SEC_CRIT) ;
+ /.cshrc -> $(SEC_CRIT) ;
+ /.login -> $(SEC_CRIT) ;
+ # /.exrc -> $(SEC_CRIT) ;
+ # /.logout -> $(SEC_CRIT) ;
+ # /.forward -> $(SEC_CRIT) ;
+ /root -> $(SEC_CRIT) (recurse = true) ;
+ !/root/.history ;
+ !/root/.bash_history ;
+ # !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed
+}
+
+
+#
+# FreeBSD Kernel
+#
+
+(
+ rulename = "FreeBSD Kernel",
+ severity = $(SIG_HI)
+)
+{
+ /kernel -> $(SEC_CRIT) ;
+ /kernel.old -> $(SEC_CRIT) ;
+ /kernel.GENERIC -> $(SEC_CRIT) ;
+}
+
+
+#
+# FreeBSD Modules
+#
+
+(
+ rulename = "FreeBSD Modules",
+ severity = $(SIG_HI)
+)
+{
+ /modules -> $(SEC_CRIT) (recurse = true) ;
+ /modules.old -> $(SEC_CRIT) (recurse = true) ;
+ # /lkm -> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld
+}
+
+
+#
+# System Administration Programs
+#
+
+(
+ rulename = "System Administration Programs",
+ severity = $(SIG_HI)
+)
+{
+ /sbin -> $(SEC_CRIT) (recurse = true) ;
+ /usr/sbin -> $(SEC_CRIT) (recurse = true) ;
+}
+
+
+#
+# User Utilities
+#
+
+(
+ rulename = "User Utilities",
+ severity = $(SIG_HI)
+)
+{
+ /bin -> $(SEC_CRIT) (recurse = true) ;
+ /usr/bin -> $(SEC_CRIT) (recurse = true) ;
+}
+
+
+#
+# /dev
+#
+
+(
+ rulename = "/dev",
+ severity = $(SIG_HI)
+)
+{
+ /dev -> $(Device) (recurse = true) ;
+ !/dev/vga ;
+ !/dev/dri ;
+ /dev/console -> $(SEC_TTY) ;
+ /dev/ttyv0 -> $(SEC_TTY) ;
+ /dev/ttyv1 -> $(SEC_TTY) ;
+ /dev/ttyv2 -> $(SEC_TTY) ;
+ /dev/ttyv3 -> $(SEC_TTY) ;
+ /dev/ttyv4 -> $(SEC_TTY) ;
+ /dev/ttyv5 -> $(SEC_TTY) ;
+ /dev/ttyv6 -> $(SEC_TTY) ;
+ /dev/ttyv7 -> $(SEC_TTY) ;
+ /dev/ttyp0 -> $(SEC_TTY) ;
+ /dev/ttyp1 -> $(SEC_TTY) ;
+ /dev/ttyp2 -> $(SEC_TTY) ;
+ /dev/ttyp3 -> $(SEC_TTY) ;
+ /dev/ttyp4 -> $(SEC_TTY) ;
+ /dev/ttyp5 -> $(SEC_TTY) ;
+ /dev/ttyp6 -> $(SEC_TTY) ;
+ /dev/ttyp7 -> $(SEC_TTY) ;
+ /dev/ttyp8 -> $(SEC_TTY) ;
+ /dev/ttyp9 -> $(SEC_TTY) ;
+ /dev/ttypa -> $(SEC_TTY) ;
+ /dev/ttypb -> $(SEC_TTY) ;
+ /dev/ttypc -> $(SEC_TTY) ;
+ /dev/ttypd -> $(SEC_TTY) ;
+ /dev/ttype -> $(SEC_TTY) ;
+ /dev/ttypf -> $(SEC_TTY) ;
+ /dev/ttypg -> $(SEC_TTY) ;
+ /dev/ttyph -> $(SEC_TTY) ;
+ /dev/ttypi -> $(SEC_TTY) ;
+ /dev/ttypj -> $(SEC_TTY) ;
+ /dev/ttypl -> $(SEC_TTY) ;
+ /dev/ttypm -> $(SEC_TTY) ;
+ /dev/ttypn -> $(SEC_TTY) ;
+ /dev/ttypo -> $(SEC_TTY) ;
+ /dev/ttypp -> $(SEC_TTY) ;
+ /dev/ttypq -> $(SEC_TTY) ;
+ /dev/ttypr -> $(SEC_TTY) ;
+ /dev/ttyps -> $(SEC_TTY) ;
+ /dev/ttypt -> $(SEC_TTY) ;
+ /dev/ttypu -> $(SEC_TTY) ;
+ /dev/ttypv -> $(SEC_TTY) ;
+ /dev/cuaa0 -> $(SEC_TTY) ; # modem
+}
+
+
+#
+# /etc
+#
+
+(
+ rulename = "/etc",
+ severity = $(SIG_HI)
+)
+{
+ /etc -> $(SEC_CRIT) (recurse = true) ;
+ # /etc/mail/aliases -> $(SEC_CONFIG) ;
+ /etc/dumpdates -> $(SEC_CONFIG) ;
+ /etc/motd -> $(SEC_CONFIG) ;
+ !/etc/ppp/connect-errors ;
+ /etc/skeykeys -> $(SEC_CONFIG) ;
+ # Uncomment the following 4 lines if your password file does not change
+ # /etc/passwd -> $(SEC_CONFIG) ;
+ # /etc/master.passwd -> $(SEC_CONFIG) ;
+ # /etc/pwd.db -> $(SEC_CONFIG) ;
+ # /etc/spwd.db -> $(SEC_CONFIG) ;
+}
+
+
+#
+# Copatibility (Linux)
+#
+
+(
+ rulename = "Linux Compatibility",
+ severity = $(SIG_HI)
+)
+{
+ /compat -> $(SEC_CRIT) (recurse = true) ;
+#
+# Uncomment the following if Linux compatibility is used. Replace
+# HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port
+# installed.
+#
+#@@ifhost HOSTNAME1 || HOSTNAME2
+# /compat/linux/etc -> $(SEC_INVARIANT) (recurse = false) ;
+# /compat/linux/etc/X11 -> $(SEC_CONFIG) (recurse = true) ;
+# /compat/linux/etc/pam.d -> $(SEC_CONFIG) (recurse = true) ;
+# /compat/linux/etc/profile.d -> $(SEC_CONFIG) (recurse = true) ;
+# /compat/linux/etc/real -> $(SEC_CONFIG) (recurse = true) ;
+# /compat/linux/etc/bashrc -> $(SEC_CONFIG) ;
+# /compat/linux/etc/csh.login -> $(SEC_CONFIG) ;
+# /compat/linux/etc/host.conf -> $(SEC_CONFIG) ;
+# /compat/linux/etc/hosts.allow -> $(SEC_CONFIG) ;
+# /compat/linux/etc/hosts.deny -> $(SEC_CONFIG) ;
+# /compat/linux/etc/info-dir -> $(SEC_CONFIG) ;
+# /compat/linux/etc/inputrc -> $(SEC_CONFIG) ;
+# /compat/linux/etc/ld.so.conf -> $(SEC_CONFIG) ;
+# /compat/linux/etc/nsswitch.conf -> $(SEC_CONFIG) ;
+# /compat/linux/etc/profile -> $(SEC_CONFIG) ;
+# /compat/linux/etc/redhat-release -> $(SEC_CONFIG) ;
+# /compat/linux/etc/rpc -> $(SEC_CONFIG) ;
+# /compat/linux/etc/securetty -> $(SEC_CONFIG) ;
+# /compat/linux/etc/shells -> $(SEC_CONFIG) ;
+# /compat/linux/etc/termcap -> $(SEC_CONFIG) ;
+# /compat/linux/etc/yp.conf -> $(SEC_CONFIG) ;
+# !/compat/linux/etc/ld.so.cache ;
+# !/compat/linux/var/spool/mail ;
+#@@endif
+}
+
+
+#
+# Libraries, include files, and other system files
+#
+
+(
+ rulename = "Libraries, include files, and other system files",
+ severity = $(SIG_HI)
+)
+{
+ /usr/include -> $(SEC_CRIT) (recurse = true) ;
+ /usr/lib -> $(SEC_CRIT) (recurse = true) ;
+ /usr/libdata -> $(SEC_CRIT) (recurse = true) ;
+ /usr/libexec -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man -> $(SEC_CONFIG) ;
+ !/usr/share/man/whatis ;
+ !/usr/share/man/.glimpse_filenames ;
+ !/usr/share/man/.glimpse_filenames_index ;
+ !/usr/share/man/.glimpse_filetimes ;
+ !/usr/share/man/.glimpse_filters ;
+ !/usr/share/man/.glimpse_index ;
+ !/usr/share/man/.glimpse_messages ;
+ !/usr/share/man/.glimpse_partitions ;
+ !/usr/share/man/.glimpse_statistics ;
+ !/usr/share/man/.glimpse_turbo ;
+ /usr/share/man/man1 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man2 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man3 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man4 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man5 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man6 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man7 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man8 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man9 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/mann -> $(SEC_CRIT) (recurse = true) ;
+ ! /usr/share/man/cat1 ;
+ ! /usr/share/man/cat2 ;
+ ! /usr/share/man/cat3 ;
+ ! /usr/share/man/cat4 ;
+ ! /usr/share/man/cat5 ;
+ ! /usr/share/man/cat6 ;
+ ! /usr/share/man/cat7 ;
+ ! /usr/share/man/cat8 ;
+ ! /usr/share/man/cat9 ;
+ ! /usr/share/man/catl ;
+ ! /usr/share/man/catn ;
+ /usr/share/perl/man -> $(SEC_CONFIG) ;
+ !/usr/share/perl/man/whatis ;
+ !/usr/share/perl/man/.glimpse_filenames ;
+ !/usr/share/perl/man/.glimpse_filenames_index ;
+ !/usr/share/perl/man/.glimpse_filetimes ;
+ !/usr/share/perl/man/.glimpse_filters ;
+ !/usr/share/perl/man/.glimpse_index ;
+ !/usr/share/perl/man/.glimpse_messages ;
+ !/usr/share/perl/man/.glimpse_partitions ;
+ !/usr/share/perl/man/.glimpse_statistics ;
+ !/usr/share/perl/man/.glimpse_turbo ;
+ /usr/share/perl/man/man3 -> $(SEC_CRIT) (recurse = true) ;
+ ! /usr/share/perl/man/cat3 ;
+ /usr/local/lib/perl5/5.00503/man -> $(SEC_CONFIG) ;
+ ! /usr/local/lib/perl5/5.00503/man/whatis ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_index ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ;
+ /usr/local/lib/perl5/5.00503/man/man3 -> $(SEC_CRIT) (recurse = true) ;
+ ! /usr/local/lib/perl5/5.00503/man/cat3 ;
+}
+
+
+#
+# X11R6
+#
+
+(
+ rulename = "X11R6",
+ severity = $(SIG_HI)
+)
+{
+ /usr/X11R6 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/lib/X11/xdm -> $(SEC_CONFIG) (recurse = true) ;
+ !/usr/X11R6/lib/X11/xdm/xdm-errors ;
+ !/usr/X11R6/lib/X11/xdm/authdir/authfiles ;
+ !/usr/X11R6/lib/X11/xdm/xdm-pid ;
+ /usr/X11R6/lib/X11/xkb/compiled -> $(SEC_CONFIG) (recurse = true) ;
+ /usr/X11R6/man -> $(SEC_CONFIG) ;
+ !/usr/X11R6/man/whatis ;
+ !/usr/X11R6/man/.glimpse_filenames ;
+ !/usr/X11R6/man/.glimpse_filenames_index ;
+ !/usr/X11R6/man/.glimpse_filetimes ;
+ !/usr/X11R6/man/.glimpse_filters ;
+ !/usr/X11R6/man/.glimpse_index ;
+ !/usr/X11R6/man/.glimpse_messages ;
+ !/usr/X11R6/man/.glimpse_partitions ;
+ !/usr/X11R6/man/.glimpse_statistics ;
+ !/usr/X11R6/man/.glimpse_turbo ;
+ /usr/X11R6/man/man1 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man2 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man3 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man4 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man5 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man6 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man7 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man8 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man9 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/manl -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/mann -> $(SEC_CRIT) (recurse = true) ;
+ ! /usr/X11R6/man/cat1 ;
+ ! /usr/X11R6/man/cat2 ;
+ ! /usr/X11R6/man/cat3 ;
+ ! /usr/X11R6/man/cat4 ;
+ ! /usr/X11R6/man/cat5 ;
+ ! /usr/X11R6/man/cat6 ;
+ ! /usr/X11R6/man/cat7 ;
+ ! /usr/X11R6/man/cat8 ;
+ ! /usr/X11R6/man/cat9 ;
+ ! /usr/X11R6/man/catl ;
+ ! /usr/X11R6/man/catn ;
+}
+
+
+#
+# sources
+#
+
+(
+ rulename = "Sources",
+ severity = $(SIG_HI)
+)
+{
+ /usr/src -> $(SEC_CRIT) (recurse = true) ;
+ /usr/src/sys/compile -> $(SEC_CONFIG) (recurse = false) ;
+}
+
+
+#
+# NIS
+#
+
+(
+ rulename = "NIS",
+ severity = $(SIG_HI)
+)
+{
+ /var/yp -> $(SEC_CRIT) (recurse = true) ;
+ !/var/yp/binding ;
+}
+
+
+#
+# Temporary directories
+#
+(
+ rulename = "Temporary directories",
+ recurse = false,
+ severity = $(SIG_LOW)
+)
+{
+ /usr/tmp -> $(SEC_INVARIANT) ;
+ /var/tmp -> $(SEC_INVARIANT) ;
+ /var/preserve -> $(SEC_INVARIANT) ;
+ /tmp -> $(SEC_INVARIANT) ;
+}
+
+#
+# Local files
+#
+
+(
+ rulename = "Local files",
+ severity = $(SIG_MED)
+)
+{
+ /usr/local/bin -> $(SEC_BIN) (recurse = true) ;
+ /usr/local/sbin -> $(SEC_BIN) (recurse = true) ;
+ /usr/local/etc -> $(SEC_BIN) (recurse = true) ;
+ /usr/local/lib -> $(SEC_BIN) (recurse = true ) ;
+ /usr/local/libexec -> $(SEC_BIN) (recurse = true ) ;
+ /usr/local/share -> $(SEC_BIN) (recurse = true ) ;
+ /usr/local/man -> $(SEC_CONFIG) ;
+ !/usr/local/man/whatis ;
+ !/usr/local/man/.glimpse_filenames ;
+ !/usr/local/man/.glimpse_filenames_index ;
+ !/usr/local/man/.glimpse_filetimes ;
+ !/usr/local/man/.glimpse_filters ;
+ !/usr/local/man/.glimpse_index ;
+ !/usr/local/man/.glimpse_messages ;
+ !/usr/local/man/.glimpse_partitions ;
+ !/usr/local/man/.glimpse_statistics ;
+ !/usr/local/man/.glimpse_turbo ;
+ /usr/local/man/man1 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man2 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man3 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man4 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man5 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man6 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man7 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man8 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man9 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/manl -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/mann -> $(SEC_CRIT) (recurse = true) ;
+ ! /usr/local/man/cat1 ;
+ ! /usr/local/man/cat2 ;
+ ! /usr/local/man/cat3 ;
+ ! /usr/local/man/cat4 ;
+ ! /usr/local/man/cat5 ;
+ ! /usr/local/man/cat6 ;
+ ! /usr/local/man/cat7 ;
+ ! /usr/local/man/cat8 ;
+ ! /usr/local/man/cat9 ;
+ ! /usr/local/man/catl ;
+ ! /usr/local/man/catn ;
+ /usr/local/krb5 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man -> $(SEC_CONFIG) ;
+ !/usr/local/krb5/man/whatis ;
+ !/usr/local/krb5/man/.glimpse_filenames ;
+ !/usr/local/krb5/man/.glimpse_filenames_index ;
+ !/usr/local/krb5/man/.glimpse_filetimes ;
+ !/usr/local/krb5/man/.glimpse_filters ;
+ !/usr/local/krb5/man/.glimpse_index ;
+ !/usr/local/krb5/man/.glimpse_messages ;
+ !/usr/local/krb5/man/.glimpse_partitions ;
+ !/usr/local/krb5/man/.glimpse_statistics ;
+ !/usr/local/krb5/man/.glimpse_turbo ;
+ /usr/local/krb5/man/man1 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man2 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man3 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man4 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man5 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man6 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man7 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man8 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man9 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/manl -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/mann -> $(SEC_CRIT) (recurse = true) ;
+ ! /usr/local/krb5/man/cat1 ;
+ ! /usr/local/krb5/man/cat2 ;
+ ! /usr/local/krb5/man/cat3 ;
+ ! /usr/local/krb5/man/cat4 ;
+ ! /usr/local/krb5/man/cat5 ;
+ ! /usr/local/krb5/man/cat6 ;
+ ! /usr/local/krb5/man/cat7 ;
+ ! /usr/local/krb5/man/cat8 ;
+ ! /usr/local/krb5/man/cat9 ;
+ ! /usr/local/krb5/man/catl ;
+ ! /usr/local/krb5/man/catn ;
+ /usr/local/www -> $(SEC_CONFIG) (recurse = true) ;
+}
+
+
+(
+ rulename = "Security Control",
+ severity = $(SIG_HI)
+)
+{
+ /etc/group -> $(SEC_CRIT) ;
+ /etc/crontab -> $(SEC_CRIT) ;
+}
+
+#=============================================================================
+#
+# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
+# Inc. in the United States and other countries. All rights reserved.
+#
+# FreeBSD is a registered trademark of the FreeBSD Project Inc.
+#
+# UNIX is a registered trademark of The Open Group.
+#
+#=============================================================================
+#
+# Permission is granted to make and distribute verbatim copies of this document
+# provided the copyright notice and this permission notice are preserved on all
+# copies.
+#
+# Permission is granted to copy and distribute modified versions of this
+# document under the conditions for verbatim copying, provided that the entire
+# resulting derived work is distributed under the terms of a permission notice
+# identical to this one.
+#
+# Permission is granted to copy and distribute translations of this document
+# into another language, under the above conditions for modified versions,
+# except that this permission notice may be stated in a translation approved by
+# Tripwire, Inc.
+#
+# DCM
diff --git a/security/tripwire/files/twpol.txt b/security/tripwire/files/twpol.txt
new file mode 100644
index 0000000..ec60af2
--- /dev/null
+++ b/security/tripwire/files/twpol.txt
@@ -0,0 +1,655 @@
+#
+# Policy file for FreeBSD
+#
+$FreeBSD$
+
+
+#
+# This is the example Tripwire Policy file. It is intended as a place to
+# start creating your own custom Tripwire Policy file. Referring to it as
+# well as the Tripwire Policy Guide should give you enough information to
+# make a good custom Tripwire Policy file that better covers your
+# configuration and security needs. A text version of this policy file is
+# called twpol.txt.
+#
+# Note that this file is tuned to an install of FreeBSD using
+# buildworld. If run unmodified, this file should create no errors on
+# database creation, or violations on a subsiquent integrity check.
+# However it is impossible for there to be one policy file for all machines,
+# so this existing one errs on the side of security. Your FreeBSD
+# configuration will most likey differ from the one our policy file was
+# tuned to, and will therefore require some editing of the default
+# Tripwire Policy file.
+#
+# The example policy file is best run with 'Loose Directory Checking'
+# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration
+# file.
+#
+# Email support is not included and must be added to this file.
+# Add the 'emailto=' to the rule directive section of each rule (add a comma
+# after the 'severity=' line and add an 'emailto=' and include the email
+# addresses you want the violation reports to go to). Addresses are
+# semi-colon delimited.
+#
+
+
+
+#
+# Global Variable Definitions
+#
+# These are defined at install time by the installation script. You may
+# Manually edit these if you are using this file directly and not from the
+# installation script itself.
+#
+
+@@section GLOBAL
+TWROOT=;
+TWBIN=;
+TWPOL=;
+TWDB=;
+TWSKEY=;
+TWLKEY=;
+TWREPORT=;
+HOSTNAME=;
+
+@@section FS
+SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
+SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
+SEC_BIN = $(ReadOnly) ; # Binaries that should not change
+SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
+SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login
+SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
+SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
+SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
+SIG_MED = 66 ; # Non-critical files that are of significant security impact
+SIG_HI = 100 ; # Critical files that are significant points of vulnerability
+
+
+# Tripwire Binaries
+(
+ rulename = "Tripwire Binaries",
+ severity = $(SIG_HI)
+)
+{
+ $(TWBIN)/siggen -> $(SEC_BIN) ;
+ $(TWBIN)/tripwire -> $(SEC_BIN) ;
+ $(TWBIN)/twadmin -> $(SEC_BIN) ;
+ $(TWBIN)/twprint -> $(SEC_BIN) ;
+}
+
+# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
+(
+ rulename = "Tripwire Data Files",
+ severity = $(SIG_HI)
+)
+{
+ # NOTE: We remove the inode attribute because when Tripwire creates a backup,
+ # it does so by renaming the old file and creating a new one (which will
+ # have a new inode number). Inode is left turned on for keys, which shouldn't
+ # ever change.
+
+ # NOTE: The first integrity check triggers this rule and each integrity check
+ # afterward triggers this rule until a database update is run, since the
+ # database file does not exist before that point.
+
+ $(TWDB) -> $(SEC_CONFIG) -i ;
+ $(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
+ $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
+ $(TWPOL)/twcfg.txt -> $(SEC_BIN) ;
+ $(TWPOL)/twpol.txt -> $(SEC_BIN) ;
+ $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
+ $(TWSKEY)/site.key -> $(SEC_BIN) ;
+
+ #don't scan the individual reports
+ $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
+}
+
+
+# Tripwire HQ Connector Binaries
+#(
+# rulename = "Tripwire HQ Connector Binaries",
+# severity = $(SIG_HI)
+#)
+#{
+# $(TWBIN)/hqagent -> $(SEC_BIN) ;
+#}
+#
+# Tripwire HQ Connector - Configuration Files, Keys, and Logs
+
+#
+# Note: File locations here are different than in a stock HQ Connector
+# installation. This is because Tripwire 2.3 uses a different path
+# structure than Tripwire 2.2.1.
+#
+# You may need to update your HQ Agent configuation file (or this policy
+# file) to correct the paths. We have attempted to support the FHS standard
+# here by placing the HQ Agent files similarly to the way Tripwire 2.3
+# places them.
+#
+
+#(
+# rulename = "Tripwire HQ Connector Data Files",
+# severity = $(SIG_HI)
+#)
+#{
+#
+# # NOTE: Removing the inode attribute because when Tripwire creates a backup
+# # it does so by renaming the old file and creating a new one (which will
+# # have a new inode number). Leaving inode turned on for keys, which
+# # shouldn't ever change.
+#
+#
+# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ;
+# $(TWLKEY)/authentication.key -> $(SEC_BIN) ;
+# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ;
+# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ;
+#
+# # Uncomment if you have agent logging enabled.
+# #/var/log/tripwire/agent.log -> $(SEC_LOG) ;
+#}
+
+
+
+# Commonly accessed directories that should remain static with regards to owner and group
+(
+ rulename = "Invariant Directories",
+ severity = $(SIG_MED)
+)
+{
+ / -> $(SEC_INVARIANT) (recurse = false) ;
+ /home -> $(SEC_INVARIANT) (recurse = false) ;
+}
+
+#
+# First, root's "home"
+#
+
+(
+ rulename = "Root's home",
+ severity = $(SIG_HI)
+)
+{
+ # /.rhosts -> $(SEC_CRIT) ;
+ /.profile -> $(SEC_CRIT) ;
+ /.cshrc -> $(SEC_CRIT) ;
+ /.login -> $(SEC_CRIT) ;
+ # /.exrc -> $(SEC_CRIT) ;
+ # /.logout -> $(SEC_CRIT) ;
+ # /.forward -> $(SEC_CRIT) ;
+ /root -> $(SEC_CRIT) (recurse = true) ;
+ !/root/.history ;
+ !/root/.bash_history ;
+ # !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed
+}
+
+
+#
+# FreeBSD Kernel
+#
+
+(
+ rulename = "FreeBSD Kernel",
+ severity = $(SIG_HI)
+)
+{
+ /kernel -> $(SEC_CRIT) ;
+ /kernel.old -> $(SEC_CRIT) ;
+ /kernel.GENERIC -> $(SEC_CRIT) ;
+}
+
+
+#
+# FreeBSD Modules
+#
+
+(
+ rulename = "FreeBSD Modules",
+ severity = $(SIG_HI)
+)
+{
+ /modules -> $(SEC_CRIT) (recurse = true) ;
+ /modules.old -> $(SEC_CRIT) (recurse = true) ;
+ # /lkm -> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld
+}
+
+
+#
+# System Administration Programs
+#
+
+(
+ rulename = "System Administration Programs",
+ severity = $(SIG_HI)
+)
+{
+ /sbin -> $(SEC_CRIT) (recurse = true) ;
+ /usr/sbin -> $(SEC_CRIT) (recurse = true) ;
+}
+
+
+#
+# User Utilities
+#
+
+(
+ rulename = "User Utilities",
+ severity = $(SIG_HI)
+)
+{
+ /bin -> $(SEC_CRIT) (recurse = true) ;
+ /usr/bin -> $(SEC_CRIT) (recurse = true) ;
+}
+
+
+#
+# /dev
+#
+
+(
+ rulename = "/dev",
+ severity = $(SIG_HI)
+)
+{
+ /dev -> $(Device) (recurse = true) ;
+ !/dev/vga ;
+ !/dev/dri ;
+ /dev/console -> $(SEC_TTY) ;
+ /dev/ttyv0 -> $(SEC_TTY) ;
+ /dev/ttyv1 -> $(SEC_TTY) ;
+ /dev/ttyv2 -> $(SEC_TTY) ;
+ /dev/ttyv3 -> $(SEC_TTY) ;
+ /dev/ttyv4 -> $(SEC_TTY) ;
+ /dev/ttyv5 -> $(SEC_TTY) ;
+ /dev/ttyv6 -> $(SEC_TTY) ;
+ /dev/ttyv7 -> $(SEC_TTY) ;
+ /dev/ttyp0 -> $(SEC_TTY) ;
+ /dev/ttyp1 -> $(SEC_TTY) ;
+ /dev/ttyp2 -> $(SEC_TTY) ;
+ /dev/ttyp3 -> $(SEC_TTY) ;
+ /dev/ttyp4 -> $(SEC_TTY) ;
+ /dev/ttyp5 -> $(SEC_TTY) ;
+ /dev/ttyp6 -> $(SEC_TTY) ;
+ /dev/ttyp7 -> $(SEC_TTY) ;
+ /dev/ttyp8 -> $(SEC_TTY) ;
+ /dev/ttyp9 -> $(SEC_TTY) ;
+ /dev/ttypa -> $(SEC_TTY) ;
+ /dev/ttypb -> $(SEC_TTY) ;
+ /dev/ttypc -> $(SEC_TTY) ;
+ /dev/ttypd -> $(SEC_TTY) ;
+ /dev/ttype -> $(SEC_TTY) ;
+ /dev/ttypf -> $(SEC_TTY) ;
+ /dev/ttypg -> $(SEC_TTY) ;
+ /dev/ttyph -> $(SEC_TTY) ;
+ /dev/ttypi -> $(SEC_TTY) ;
+ /dev/ttypj -> $(SEC_TTY) ;
+ /dev/ttypl -> $(SEC_TTY) ;
+ /dev/ttypm -> $(SEC_TTY) ;
+ /dev/ttypn -> $(SEC_TTY) ;
+ /dev/ttypo -> $(SEC_TTY) ;
+ /dev/ttypp -> $(SEC_TTY) ;
+ /dev/ttypq -> $(SEC_TTY) ;
+ /dev/ttypr -> $(SEC_TTY) ;
+ /dev/ttyps -> $(SEC_TTY) ;
+ /dev/ttypt -> $(SEC_TTY) ;
+ /dev/ttypu -> $(SEC_TTY) ;
+ /dev/ttypv -> $(SEC_TTY) ;
+ /dev/cuaa0 -> $(SEC_TTY) ; # modem
+}
+
+
+#
+# /etc
+#
+
+(
+ rulename = "/etc",
+ severity = $(SIG_HI)
+)
+{
+ /etc -> $(SEC_CRIT) (recurse = true) ;
+ # /etc/mail/aliases -> $(SEC_CONFIG) ;
+ /etc/dumpdates -> $(SEC_CONFIG) ;
+ /etc/motd -> $(SEC_CONFIG) ;
+ !/etc/ppp/connect-errors ;
+ /etc/skeykeys -> $(SEC_CONFIG) ;
+ # Uncomment the following 4 lines if your password file does not change
+ # /etc/passwd -> $(SEC_CONFIG) ;
+ # /etc/master.passwd -> $(SEC_CONFIG) ;
+ # /etc/pwd.db -> $(SEC_CONFIG) ;
+ # /etc/spwd.db -> $(SEC_CONFIG) ;
+}
+
+
+#
+# Copatibility (Linux)
+#
+
+(
+ rulename = "Linux Compatibility",
+ severity = $(SIG_HI)
+)
+{
+ /compat -> $(SEC_CRIT) (recurse = true) ;
+#
+# Uncomment the following if Linux compatibility is used. Replace
+# HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port
+# installed.
+#
+#@@ifhost HOSTNAME1 || HOSTNAME2
+# /compat/linux/etc -> $(SEC_INVARIANT) (recurse = false) ;
+# /compat/linux/etc/X11 -> $(SEC_CONFIG) (recurse = true) ;
+# /compat/linux/etc/pam.d -> $(SEC_CONFIG) (recurse = true) ;
+# /compat/linux/etc/profile.d -> $(SEC_CONFIG) (recurse = true) ;
+# /compat/linux/etc/real -> $(SEC_CONFIG) (recurse = true) ;
+# /compat/linux/etc/bashrc -> $(SEC_CONFIG) ;
+# /compat/linux/etc/csh.login -> $(SEC_CONFIG) ;
+# /compat/linux/etc/host.conf -> $(SEC_CONFIG) ;
+# /compat/linux/etc/hosts.allow -> $(SEC_CONFIG) ;
+# /compat/linux/etc/hosts.deny -> $(SEC_CONFIG) ;
+# /compat/linux/etc/info-dir -> $(SEC_CONFIG) ;
+# /compat/linux/etc/inputrc -> $(SEC_CONFIG) ;
+# /compat/linux/etc/ld.so.conf -> $(SEC_CONFIG) ;
+# /compat/linux/etc/nsswitch.conf -> $(SEC_CONFIG) ;
+# /compat/linux/etc/profile -> $(SEC_CONFIG) ;
+# /compat/linux/etc/redhat-release -> $(SEC_CONFIG) ;
+# /compat/linux/etc/rpc -> $(SEC_CONFIG) ;
+# /compat/linux/etc/securetty -> $(SEC_CONFIG) ;
+# /compat/linux/etc/shells -> $(SEC_CONFIG) ;
+# /compat/linux/etc/termcap -> $(SEC_CONFIG) ;
+# /compat/linux/etc/yp.conf -> $(SEC_CONFIG) ;
+# !/compat/linux/etc/ld.so.cache ;
+# !/compat/linux/var/spool/mail ;
+#@@endif
+}
+
+
+#
+# Libraries, include files, and other system files
+#
+
+(
+ rulename = "Libraries, include files, and other system files",
+ severity = $(SIG_HI)
+)
+{
+ /usr/include -> $(SEC_CRIT) (recurse = true) ;
+ /usr/lib -> $(SEC_CRIT) (recurse = true) ;
+ /usr/libdata -> $(SEC_CRIT) (recurse = true) ;
+ /usr/libexec -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man -> $(SEC_CONFIG) ;
+ !/usr/share/man/whatis ;
+ !/usr/share/man/.glimpse_filenames ;
+ !/usr/share/man/.glimpse_filenames_index ;
+ !/usr/share/man/.glimpse_filetimes ;
+ !/usr/share/man/.glimpse_filters ;
+ !/usr/share/man/.glimpse_index ;
+ !/usr/share/man/.glimpse_messages ;
+ !/usr/share/man/.glimpse_partitions ;
+ !/usr/share/man/.glimpse_statistics ;
+ !/usr/share/man/.glimpse_turbo ;
+ /usr/share/man/man1 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man2 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man3 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man4 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man5 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man6 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man7 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man8 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/man9 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/share/man/mann -> $(SEC_CRIT) (recurse = true) ;
+ ! /usr/share/man/cat1 ;
+ ! /usr/share/man/cat2 ;
+ ! /usr/share/man/cat3 ;
+ ! /usr/share/man/cat4 ;
+ ! /usr/share/man/cat5 ;
+ ! /usr/share/man/cat6 ;
+ ! /usr/share/man/cat7 ;
+ ! /usr/share/man/cat8 ;
+ ! /usr/share/man/cat9 ;
+ ! /usr/share/man/catl ;
+ ! /usr/share/man/catn ;
+ /usr/share/perl/man -> $(SEC_CONFIG) ;
+ !/usr/share/perl/man/whatis ;
+ !/usr/share/perl/man/.glimpse_filenames ;
+ !/usr/share/perl/man/.glimpse_filenames_index ;
+ !/usr/share/perl/man/.glimpse_filetimes ;
+ !/usr/share/perl/man/.glimpse_filters ;
+ !/usr/share/perl/man/.glimpse_index ;
+ !/usr/share/perl/man/.glimpse_messages ;
+ !/usr/share/perl/man/.glimpse_partitions ;
+ !/usr/share/perl/man/.glimpse_statistics ;
+ !/usr/share/perl/man/.glimpse_turbo ;
+ /usr/share/perl/man/man3 -> $(SEC_CRIT) (recurse = true) ;
+ ! /usr/share/perl/man/cat3 ;
+ /usr/local/lib/perl5/5.00503/man -> $(SEC_CONFIG) ;
+ ! /usr/local/lib/perl5/5.00503/man/whatis ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_index ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ;
+ ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ;
+ /usr/local/lib/perl5/5.00503/man/man3 -> $(SEC_CRIT) (recurse = true) ;
+ ! /usr/local/lib/perl5/5.00503/man/cat3 ;
+}
+
+
+#
+# X11R6
+#
+
+(
+ rulename = "X11R6",
+ severity = $(SIG_HI)
+)
+{
+ /usr/X11R6 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/lib/X11/xdm -> $(SEC_CONFIG) (recurse = true) ;
+ !/usr/X11R6/lib/X11/xdm/xdm-errors ;
+ !/usr/X11R6/lib/X11/xdm/authdir/authfiles ;
+ !/usr/X11R6/lib/X11/xdm/xdm-pid ;
+ /usr/X11R6/lib/X11/xkb/compiled -> $(SEC_CONFIG) (recurse = true) ;
+ /usr/X11R6/man -> $(SEC_CONFIG) ;
+ !/usr/X11R6/man/whatis ;
+ !/usr/X11R6/man/.glimpse_filenames ;
+ !/usr/X11R6/man/.glimpse_filenames_index ;
+ !/usr/X11R6/man/.glimpse_filetimes ;
+ !/usr/X11R6/man/.glimpse_filters ;
+ !/usr/X11R6/man/.glimpse_index ;
+ !/usr/X11R6/man/.glimpse_messages ;
+ !/usr/X11R6/man/.glimpse_partitions ;
+ !/usr/X11R6/man/.glimpse_statistics ;
+ !/usr/X11R6/man/.glimpse_turbo ;
+ /usr/X11R6/man/man1 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man2 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man3 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man4 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man5 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man6 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man7 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man8 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/man9 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/manl -> $(SEC_CRIT) (recurse = true) ;
+ /usr/X11R6/man/mann -> $(SEC_CRIT) (recurse = true) ;
+ ! /usr/X11R6/man/cat1 ;
+ ! /usr/X11R6/man/cat2 ;
+ ! /usr/X11R6/man/cat3 ;
+ ! /usr/X11R6/man/cat4 ;
+ ! /usr/X11R6/man/cat5 ;
+ ! /usr/X11R6/man/cat6 ;
+ ! /usr/X11R6/man/cat7 ;
+ ! /usr/X11R6/man/cat8 ;
+ ! /usr/X11R6/man/cat9 ;
+ ! /usr/X11R6/man/catl ;
+ ! /usr/X11R6/man/catn ;
+}
+
+
+#
+# sources
+#
+
+(
+ rulename = "Sources",
+ severity = $(SIG_HI)
+)
+{
+ /usr/src -> $(SEC_CRIT) (recurse = true) ;
+ /usr/src/sys/compile -> $(SEC_CONFIG) (recurse = false) ;
+}
+
+
+#
+# NIS
+#
+
+(
+ rulename = "NIS",
+ severity = $(SIG_HI)
+)
+{
+ /var/yp -> $(SEC_CRIT) (recurse = true) ;
+ !/var/yp/binding ;
+}
+
+
+#
+# Temporary directories
+#
+(
+ rulename = "Temporary directories",
+ recurse = false,
+ severity = $(SIG_LOW)
+)
+{
+ /usr/tmp -> $(SEC_INVARIANT) ;
+ /var/tmp -> $(SEC_INVARIANT) ;
+ /var/preserve -> $(SEC_INVARIANT) ;
+ /tmp -> $(SEC_INVARIANT) ;
+}
+
+#
+# Local files
+#
+
+(
+ rulename = "Local files",
+ severity = $(SIG_MED)
+)
+{
+ /usr/local/bin -> $(SEC_BIN) (recurse = true) ;
+ /usr/local/sbin -> $(SEC_BIN) (recurse = true) ;
+ /usr/local/etc -> $(SEC_BIN) (recurse = true) ;
+ /usr/local/lib -> $(SEC_BIN) (recurse = true ) ;
+ /usr/local/libexec -> $(SEC_BIN) (recurse = true ) ;
+ /usr/local/share -> $(SEC_BIN) (recurse = true ) ;
+ /usr/local/man -> $(SEC_CONFIG) ;
+ !/usr/local/man/whatis ;
+ !/usr/local/man/.glimpse_filenames ;
+ !/usr/local/man/.glimpse_filenames_index ;
+ !/usr/local/man/.glimpse_filetimes ;
+ !/usr/local/man/.glimpse_filters ;
+ !/usr/local/man/.glimpse_index ;
+ !/usr/local/man/.glimpse_messages ;
+ !/usr/local/man/.glimpse_partitions ;
+ !/usr/local/man/.glimpse_statistics ;
+ !/usr/local/man/.glimpse_turbo ;
+ /usr/local/man/man1 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man2 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man3 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man4 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man5 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man6 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man7 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man8 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/man9 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/manl -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/man/mann -> $(SEC_CRIT) (recurse = true) ;
+ ! /usr/local/man/cat1 ;
+ ! /usr/local/man/cat2 ;
+ ! /usr/local/man/cat3 ;
+ ! /usr/local/man/cat4 ;
+ ! /usr/local/man/cat5 ;
+ ! /usr/local/man/cat6 ;
+ ! /usr/local/man/cat7 ;
+ ! /usr/local/man/cat8 ;
+ ! /usr/local/man/cat9 ;
+ ! /usr/local/man/catl ;
+ ! /usr/local/man/catn ;
+ /usr/local/krb5 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man -> $(SEC_CONFIG) ;
+ !/usr/local/krb5/man/whatis ;
+ !/usr/local/krb5/man/.glimpse_filenames ;
+ !/usr/local/krb5/man/.glimpse_filenames_index ;
+ !/usr/local/krb5/man/.glimpse_filetimes ;
+ !/usr/local/krb5/man/.glimpse_filters ;
+ !/usr/local/krb5/man/.glimpse_index ;
+ !/usr/local/krb5/man/.glimpse_messages ;
+ !/usr/local/krb5/man/.glimpse_partitions ;
+ !/usr/local/krb5/man/.glimpse_statistics ;
+ !/usr/local/krb5/man/.glimpse_turbo ;
+ /usr/local/krb5/man/man1 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man2 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man3 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man4 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man5 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man6 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man7 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man8 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/man9 -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/manl -> $(SEC_CRIT) (recurse = true) ;
+ /usr/local/krb5/man/mann -> $(SEC_CRIT) (recurse = true) ;
+ ! /usr/local/krb5/man/cat1 ;
+ ! /usr/local/krb5/man/cat2 ;
+ ! /usr/local/krb5/man/cat3 ;
+ ! /usr/local/krb5/man/cat4 ;
+ ! /usr/local/krb5/man/cat5 ;
+ ! /usr/local/krb5/man/cat6 ;
+ ! /usr/local/krb5/man/cat7 ;
+ ! /usr/local/krb5/man/cat8 ;
+ ! /usr/local/krb5/man/cat9 ;
+ ! /usr/local/krb5/man/catl ;
+ ! /usr/local/krb5/man/catn ;
+ /usr/local/www -> $(SEC_CONFIG) (recurse = true) ;
+}
+
+
+(
+ rulename = "Security Control",
+ severity = $(SIG_HI)
+)
+{
+ /etc/group -> $(SEC_CRIT) ;
+ /etc/crontab -> $(SEC_CRIT) ;
+}
+
+#=============================================================================
+#
+# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
+# Inc. in the United States and other countries. All rights reserved.
+#
+# FreeBSD is a registered trademark of the FreeBSD Project Inc.
+#
+# UNIX is a registered trademark of The Open Group.
+#
+#=============================================================================
+#
+# Permission is granted to make and distribute verbatim copies of this document
+# provided the copyright notice and this permission notice are preserved on all
+# copies.
+#
+# Permission is granted to copy and distribute modified versions of this
+# document under the conditions for verbatim copying, provided that the entire
+# resulting derived work is distributed under the terms of a permission notice
+# identical to this one.
+#
+# Permission is granted to copy and distribute translations of this document
+# into another language, under the above conditions for modified versions,
+# except that this permission notice may be stated in a translation approved by
+# Tripwire, Inc.
+#
+# DCM
OpenPOWER on IntegriCloud