Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 22 Feb 2012 15:57:11 -0600 (CST)
From:      Joe Greco <jgreco@ns.sol.net>
To:        ports@freebsd.org
Subject:   Req update for ports/security/tripwire12
Message-ID:  <201202222157.q1MLvBKV052020@aurora.sol.net>

next in thread | raw e-mail | index | archive | help
misc fixes (not comprehensive) for freebsd8

diff -Ncr tripwire12.old/Makefile tripwire12/Makefile
*** tripwire12.old/Makefile	Sun Apr 26 02:22:57 2009
--- tripwire12/Makefile	Wed Feb 22 15:22:52 2012
***************
*** 20,26 ****
  NO_PACKAGE=	requires local database to be built
  USE_PERL5_BUILD=yes
  
! TWCONFIG?=	${FILESDIR}/tw.conf.freebsd2
  
  post-extract:
  	@ (cd ${WRKDIR}; tar xpf T1.2.tar)
--- 20,26 ----
  NO_PACKAGE=	requires local database to be built
  USE_PERL5_BUILD=yes
  
! TWCONFIG?=	${FILESDIR}/tw.conf.freebsd8
  
  post-extract:
  	@ (cd ${WRKDIR}; tar xpf T1.2.tar)
***************
*** 33,41 ****
  
  pre-configure:
  	@ ${CP} ${FILESDIR}/conf-freebsd2.h ${WRKSRC}/configs
! 	@ ${SED} s%/kernel%`/sbin/sysctl -bn kern.bootfile`% \
! 		< ${TWCONFIG} \
! 		> ${WRKSRC}/configs/tw.conf.freebsd2
  
  post-install:
  	@ ${MKDIR} /var/adm/tcheck
--- 33,39 ----
  
  pre-configure:
  	@ ${CP} ${FILESDIR}/conf-freebsd2.h ${WRKSRC}/configs
! 	@ ${cp} ${TWCONFIG} ${WRKSRC}/configs/tw.conf.freebsd8
  
  post-install:
  	@ ${MKDIR} /var/adm/tcheck
diff -Ncr tripwire12.old/files/tw.conf.freebsd8 tripwire12/files/tw.conf.freebsd8
*** tripwire12.old/files/tw.conf.freebsd8	Wed Dec 31 18:00:00 1969
--- tripwire12/files/tw.conf.freebsd8	Wed Feb 22 15:52:37 2012
***************
*** 0 ****
--- 1,165 ----
+ # $FreeBSD$
+ #
+ # tripwire.config
+ # Generic version for FreeBSD
+ #  Will need editing...see comments below
+ #
+ # This file contains a list of files and directories that System 
+ # Preener will scan.  Information collected from these files will be 
+ # stored in the tripwire.database file.
+ #
+ # Format: 			[!|=] entry [ignore-flags]
+ #
+ # where:	 '!' signifies the entry is to be pruned (inclusive) from
+ #				the list of files to be scanned.
+ #		 '=' signifies the entry is to be added, but if it is
+ #				a directory, then all its contents are pruned
+ #				(useful for /tmp).
+ #
+ # where:	entry is the absolute pathname of a file or a directory
+ #
+ # where ignore-flags are in the format:
+ #		[template][ [+|-][pinugsam12] ... ]
+ #
+ # 	- :  ignore the following atributes
+ #	+ :  do not ignore the following attributes
+ #
+ #	p :  permission and file mode bits 	a: access timestamp
+ #	i :  inode number			m: modification timestamp
+ #	n :  number of links (ref count)	c: inode creation timestamp
+ #	u :  user id of owner			1: signature 1
+ #	g :  group id of owner			2: signature 2
+ #	s :  size of file
+ #
+ #
+ # Ex:   The following entry will scan all the files in /etc, and report
+ #	any changes in mode bits, inode number, reference count, uid,
+ #	gid, modification and creation timestamp, and the signatures.
+ #	However, it will ignore any changes in the access timestamp.
+ #
+ #	/etc	+pinugsm12-a
+ #
+ # The following templates have been pre-defined to make these long ignore
+ # mask descriptions unecessary.
+ #
+ # Templates: 	(default)	R :  [R]ead-only (+pinugsm12-a)
+ #				L :  [L]og file (+pinug-sam12)
+ #				N :  ignore [N]othing (+pinusgsamc12)
+ #				E :  ignore [E]verything (-pinusgsamc12)
+ #
+ # By default, Tripwire uses the R template -- it ignores
+ # only the access timestamp.
+ #
+ # You can use templates with modifiers, like:
+ #	Ex:  /etc/lp	E+ug
+ #
+ #	Example configuration file:
+ #		/etc		R	# all system files
+ #		!/etc/lp	R	# ...but not those logs
+ #		=/tmp		N	# just the directory, not its files
+ #
+ # Note the difference between pruning (via "!") and ignoring everything
+ # (via "E" template):  Ignoring everything in a directory still monitors
+ # for added and deleted files.  Pruning a directory will prevent Tripwire
+ # from even looking in the specified directory.
+ #
+ #
+ # Tripwire running slowly?  Modify your tripwire.config entries to
+ # ignore the (signature 2) attribute when this computationally-exorbitant 
+ # protection is not needed.  (See README and design document for further
+ # details.)
+ #
+ 
+ #  First, root's traditional "home".  Note that FreeBSD's root's home (/root)
+ #  is protected by R-2 protections in the default config file.
+ =/		L
+ /.rhosts	R	# may not exist
+ /.profile	R	# may not exist
+ /.cshrc		R	# may not exist
+ /.login		R	# may not exist
+ /.exrc		R	# may not exist
+ /.logout	R	# may not exist
+ /.forward	R	# may not exist
+ 
+ # Unix itself
+ /kernel		R
+ /boot		R
+ /boot.config	R
+ 
+ # /bin
+ /bin		R-2
+ 
+ # /dev
+ =/dev	 	L
+ 
+ # /etc
+ /etc			R-2
+ /etc/aliases	 	L
+ /etc/dumpdates		L
+ /etc/motd		L
+ 
+ # my passwd database should be static at time of system build.  yours may
+ # not be, if not, uncomment the lines below.
+ 
+ # /etc/passwd		L
+ # /etc/master.passwd	L
+ # /etc/pwd.db		L
+ # /etc/spwd.db		L
+ 
+ # /home
+ =/home
+ 
+ # /lib
+ /lib			R-2
+ 
+ # /libexec
+ /libexec		R-2
+ 
+ # /lkm and /modules
+ /lkm			R-2
+ /modules		R-2
+ 
+ # /boot
+ /boot			R-2
+ 
+ # /rescue
+ /rescue			R-2
+ 
+ # /root
+ /root			R-2
+ /root/.history		L
+ 
+ # /sbin
+ /sbin			R-2
+ 
+ # /stand
+ /stand			R-2
+ 
+ # /usr/bin
+ /usr/bin		R-2
+ 
+ /usr/include		R-12
+ 
+ /usr/lib		R-2
+ 
+ /usr/libdata		R-2
+ 
+ /usr/libexec		R-2
+ 
+ /usr/local/bin		R-2
+ 
+ /usr/local/etc		L
+ 
+ /usr/local/lib		R-2
+ 
+ /usr/local/libexec	R-2
+ 
+ /usr/local/sbin		R-2
+ 
+ /usr/local/share	R-2
+ 
+ /usr/sbin		R-2
+ 
+ /usr/share		R-2
+ 
+ ###########################################

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201202222157.q1MLvBKV052020>