diff --git a/.cvsignore b/.cvsignore deleted file mode 100644 index e69de29..0000000 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8fa6276 --- /dev/null +++ b/.gitignore @@ -0,0 +1,9 @@ +tripwire-2.4.1.2-src.tar.bz2 +/tripwire-2.4.2.2-src.tar.bz2 +/2.4.3.0.tar.gz +/2.4.3.1.tar.gz +/2.4.3.2.tar.gz +/2.4.3.3.tar.gz +/tripwire-open-source-2.4.3.4.tar.gz +/tripwire-open-source-2.4.3.5.tar.gz +/tripwire-open-source-2.4.3.7.tar.gz diff --git a/License-Issues b/License-Issues new file mode 100644 index 0000000..6b892e1 --- /dev/null +++ b/License-Issues @@ -0,0 +1,66 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +Update 19 Feb 2004: + +The following issues are soon to disappear, since: + + 1) There are now cleaner upstream sources to work with (Debian) + 2) I'm working towards ditching Crypto++ altogether + +###### + +There seems to be some speculation as to the legal status of this +software. + +The problem seems to stem from patents, copyrights and licenses in the +Crypto++ distribution, by Wei Dei. + +For more information on the exact issues, please refer to the following +URL: + +http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=153007 + +The situation with the Fedora release is not as complex however, since +many of the questionable components are not included, specifically: + +The following are not in the archive, so there is no issue: +src/cryptlib/idea.cpp +src/cryptlib/haval.cpp +src/cryptlib/mars.cpp +src/cryptlib/serpent.cpp +src/cryptlib/md5.cpp +src/cryptlib/md5mac.cpp +src/cryptlib/cast.cpp + +The following are copyrighted, but have no license: +src/cryptlib/zbits.cpp +src/cryptlib/ztrees.cpp +src/cryptlib/zdeflate.cpp +src/cryptlib/sha.cpp ? + +With regards to those last four files, Stephen Zander is apparently going to approach Wei Dei with regards clearing up +the "no license" issues. However, I don't think this is a "fatal" +problem at this stage. Hopefully this will include clearing up the +implications of section 2 of src/cryptlib/license.txt, which reads: + +"2. Users of the software included in this compilation agree to use +their best efforts to provide Wei Dai with any modifications containing +improvements or extensions and hereby grant Wei Dai a perpetual, +royalty-free license to use and distribute such modifications under the +terms of this license." + +I'm no GPL/OSS expert, but there are some who believe this is +incompatible with the GPL. Discussions are ongoing, and I will continue +to update this file in future releases with any news. + +Keith G. Robertson-Turner + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.2.3 (GNU/Linux) + +iD8DBQFANEDN2XoLj+pGfn8RArdFAJ0edxT3u8DmWJEOpQ7eSFcFd17cXACfVH5I +PKV00HlQoZBBfbrq8//6pd8= +=HlLR +-----END PGP SIGNATURE----- diff --git a/Makefile b/Makefile deleted file mode 100644 index 0b147ad..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: tripwire -# $Id$ -NAME := tripwire -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attept a checkout -define checkout-makefile-common -test -f CVS/Rootx && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) diff --git a/README.Fedora.in b/README.Fedora.in new file mode 100644 index 0000000..38ac424 --- /dev/null +++ b/README.Fedora.in @@ -0,0 +1,70 @@ +Post-Installation Instructions + +The Tripwire RPM installs the basic program files needed to run the software. However, this installation does not complete custom configurations that Tripwire 2.4 needs to perform correctly. After you unpack the RPM, you must: +1. Generate the system-specific cryptographic key files ( @sbindir@/tripwire-setup-keyfiles ) +2. Initialize the Tripwire database file. ( @sbindir@/tripwire --init ) +3. Run the first integrity check. ( @sbindir@/tripwire --check ) +4. Edit the configuration file ( twcfg.txt ) with a text editor, if desired. +5. Edit the policy file ( twpol.txt ) with a text editor, if desired. + +Note: If you plan to modify the policy file, we recommend you do so before running the configuration script. If you modify the policy file after running the configuration script, you must re-run the configuration file before initializing the database file. + +Modifying the Policy File +You can specify how Tripwire software checks your system in the Tripwire policy file (twpol.txt). A default policy file is included in the Tripwire software installation. We recommend you tailor this policy file to fit your particular system. Tailoring the policy file greatly increases Tripwire software's ability to ensure the integrity of your system. + +Locate the default policy file at /etc/tripwire/twpol.txt. An example policy file (located at /usr/share/doc/tripwire-VER#-REL#/policyguide.txt) is included to help you learn the policy language. Read the sample policy file and the comments in the sample policy file to learn the policy language. + +After you modify the policy file, follow the Post-Installation Instructions (run the configuration script). This script signs the modified policy file and renames it to tw.pol. This is the active policy file that runs as part of the Tripwire software. + +Selecting Passphrases +Tripwire files are signed or encrypted using site or local keys. These keys are protected by passphrases. When selecting passphrases, the following recommendations apply: +Use at least eight alphanumeric and symbolic characters for each passphrase. The maximum length of a passphrase is 1023 characters. Quotes should not be used as passphrase characters. + +Assign a unique passphrase for the site key. The site key passphrase protects the site key, which is used to sign Tripwire software configuration and policy files. Assign a unique passphrase for the local key. The local key signs Tripwire database files. The local key may sign the Tripwire report files also. + +Store the passphrases in a secure location. There is no way to remove encryption from a signed file if you forget your passphrase. If you forget the passphrases, the files are unusable. In that case you must reinitialize the baseline database. + +Initializing the Database +In Database Initialization mode, Tripwire software builds a database of filesystem objects based on the rules in the policy file. This database serves as the baseline for integrity checks. The syntax for Database Initialization mode is: +tripwire --init + +Running an Integrity Check +The Integrity Check mode compares the current file system objects with their properties recorded in the Tripwire database. Violations are printed to stdout. The report file is saved and can later be accessed by twprint. An email option enables you to send email. The syntax for Integrity Check mode is: +tripwire --check + +Printing Reports - twprint Print Report Mode +The twprint --print-report mode prints the contents of a Tripwire report. If you do not specify a report with the --twrfile or -r command-line argument, the default report file specified by the configuration file REPORTFILE variable is used. +Example: On a machine named LIGHTHOUSE, the command would be: +./twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr + +Updating the Database after an Integrity Check +Database Update mode enables you to update the Tripwire database after an integrity check if you determine that the violations discovered are valid. This update process saves time by enabling you to update the database without having to re-initialize it. It also enables selective updating, which cannot be done through re-initialization. The syntax for Database Update mode is: +tripwire --update + +Updating the Policy File +Change the way that Tripwire software scans the system by changing the rules in the policy file. You can then update the database without a complete re-initialization. This saves a significant amount of time and preserves security by keeping the policy file synchronized with the database it uses. The syntax for Policy Update mode is: +tripwire --update-policy + +Testing email functions +Test mode tests the software's email notification system, using the settings currently specified in the configuration file. The syntax for Email Test Reporting mode is: +tripwire --test + +Tripwire Components +The policy file begins as a text file containing comments, rules, directives, and variables. These dictate the way Tripwire software checks your system. Each rule in the policy file specifies a system object to be monitored. Rules also describe which changes to the object to report, and which to ignore. + +System objects are the files and directories you wish to monitor. Each object is identified by an object name. A property refers to a single characteristic of an object that Tripwire software can monitor. Directives control conditional processing of sets of rules in a policy file. During installation, the text policy file is encrypted and renamed, and becomes the active policy file. + +The database file is an important component of Tripwire software. When first installed, Tripwire software uses the policy file rules to create the database file. The database file is a baseline "snapshot" of the system in a known secure state. Tripwire software compares this baseline against the current system to determine what changes have occurred. This is an integrity check. + +When you perform an integrity check, Tripwire software produces report files. Report files summarize any changes that violated the policy file rules during the integrity check. You can view the report file in a variety of formats, at varying levels of detail. + +The Tripwire configuration file stores system-specific information, such as the location of Tripwire data files. Tripwire software generates some of the configuration file information during installation. The system administrator can change parameters in the configuration file at any time. The configuration file variables POLFILE, DBFILE, REPORTFILE, SITEKEYFILE, and LOCALKEYFILE specify where the policy file, database file, report files, and site and local key files reside. These variables must be defined or the configuration file is invalid. If any of these variables are undefined, an error occurs on execution of Tripwire software and the program exits. + +Tripwire Help +All Tripwire commands support the help arguments. Example: To get help with Create Configuration File mode, type: ./twadmin --help --create-cfgfile + +-? Display usage and version information +--help Display all command modes +--help all Display help for all command modes +--help [mode] Display help for current command mode +--version Display version information diff --git a/config.guess b/config.guess new file mode 100644 index 0000000..76081ea --- /dev/null +++ b/config.guess @@ -0,0 +1,1531 @@ +#! /bin/sh +# Attempt to guess a canonical system name. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, +# 2011, 2012 Free Software Foundation, Inc. + +timestamp='2012-02-10' + +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + + +# Originally written by Per Bothner. Please send patches (context +# diff format) to and include a ChangeLog +# entry. +# +# This script attempts to guess a canonical system name similar to +# config.sub. If it succeeds, it prints the system name on stdout, and +# exits with 0. Otherwise, it exits with 1. +# +# You can get the latest version of this script from: +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD + +me=`echo "$0" | sed -e 's,.*/,,'` + +usage="\ +Usage: $0 [OPTION] + +Output the configuration name of the system \`$me' is run on. + +Operation modes: + -h, --help print this help, then exit + -t, --time-stamp print date of last modification, then exit + -v, --version print version number, then exit + +Report bugs and patches to ." + +version="\ +GNU config.guess ($timestamp) + +Originally written by Per Bothner. +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, +2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 +Free Software Foundation, Inc. + +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." + +help=" +Try \`$me --help' for more information." + +# Parse command line +while test $# -gt 0 ; do + case $1 in + --time-stamp | --time* | -t ) + echo "$timestamp" ; exit ;; + --version | -v ) + echo "$version" ; exit ;; + --help | --h* | -h ) + echo "$usage"; exit ;; + -- ) # Stop option processing + shift; break ;; + - ) # Use stdin as input. + break ;; + -* ) + echo "$me: invalid option $1$help" >&2 + exit 1 ;; + * ) + break ;; + esac +done + +if test $# != 0; then + echo "$me: too many arguments$help" >&2 + exit 1 +fi + +trap 'exit 1' 1 2 15 + +# CC_FOR_BUILD -- compiler used by this script. Note that the use of a +# compiler to aid in system detection is discouraged as it requires +# temporary files to be created and, as you can see below, it is a +# headache to deal with in a portable fashion. + +# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still +# use `HOST_CC' if defined, but it is deprecated. + +# Portable tmp directory creation inspired by the Autoconf team. + +set_cc_for_build=' +trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; +trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; +: ${TMPDIR=/tmp} ; + { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || + { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || + { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || + { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; +dummy=$tmp/dummy ; +tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; +case $CC_FOR_BUILD,$HOST_CC,$CC in + ,,) echo "int x;" > $dummy.c ; + for c in cc gcc c89 c99 ; do + if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then + CC_FOR_BUILD="$c"; break ; + fi ; + done ; + if test x"$CC_FOR_BUILD" = x ; then + CC_FOR_BUILD=no_compiler_found ; + fi + ;; + ,,*) CC_FOR_BUILD=$CC ;; + ,*,*) CC_FOR_BUILD=$HOST_CC ;; +esac ; set_cc_for_build= ;' + +# This is needed to find uname on a Pyramid OSx when run in the BSD universe. +# (ghazi@noc.rutgers.edu 1994-08-24) +if (test -f /.attbin/uname) >/dev/null 2>&1 ; then + PATH=$PATH:/.attbin ; export PATH +fi + +UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown +UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown +UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown +UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown + +# Note: order is significant - the case branches are not exclusive. + +case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + *:NetBSD:*:*) + # NetBSD (nbsd) targets should (where applicable) match one or + # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, + # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently + # switched to ELF, *-*-netbsd* would select the old + # object file format. This provides both forward + # compatibility and a consistent mechanism for selecting the + # object file format. + # + # Note: NetBSD doesn't particularly care about the vendor + # portion of the name. We always set it to "unknown". + sysctl="sysctl -n hw.machine_arch" + UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ + /usr/sbin/$sysctl 2>/dev/null || echo unknown)` + case "${UNAME_MACHINE_ARCH}" in + armeb) machine=armeb-unknown ;; + arm*) machine=arm-unknown ;; + sh3el) machine=shl-unknown ;; + sh3eb) machine=sh-unknown ;; + sh5el) machine=sh5le-unknown ;; + *) machine=${UNAME_MACHINE_ARCH}-unknown ;; + esac + # The Operating System including object format, if it has switched + # to ELF recently, or will in the future. + case "${UNAME_MACHINE_ARCH}" in + arm*|i386|m68k|ns32k|sh3*|sparc|vax) + eval $set_cc_for_build + if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ELF__ + then + # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). + # Return netbsd for either. FIX? + os=netbsd + else + os=netbsdelf + fi + ;; + *) + os=netbsd + ;; + esac + # The OS release + # Debian GNU/NetBSD machines have a different userland, and + # thus, need a distinct triplet. However, they do not need + # kernel version information, so it can be replaced with a + # suitable tag, in the style of linux-gnu. + case "${UNAME_VERSION}" in + Debian*) + release='-gnu' + ;; + *) + release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + ;; + esac + # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: + # contains redundant information, the shorter form: + # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. + echo "${machine}-${os}${release}" + exit ;; + *:OpenBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} + exit ;; + *:ekkoBSD:*:*) + echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} + exit ;; + *:SolidBSD:*:*) + echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE} + exit ;; + macppc:MirBSD:*:*) + echo powerpc-unknown-mirbsd${UNAME_RELEASE} + exit ;; + *:MirBSD:*:*) + echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} + exit ;; + alpha:OSF1:*:*) + case $UNAME_RELEASE in + *4.0) + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` + ;; + *5.*) + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` + ;; + esac + # According to Compaq, /usr/sbin/psrinfo has been available on + # OSF/1 and Tru64 systems produced since 1995. I hope that + # covers most systems running today. This code pipes the CPU + # types through head -n 1, so we only detect the type of CPU 0. + ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` + case "$ALPHA_CPU_TYPE" in + "EV4 (21064)") + UNAME_MACHINE="alpha" ;; + "EV4.5 (21064)") + UNAME_MACHINE="alpha" ;; + "LCA4 (21066/21068)") + UNAME_MACHINE="alpha" ;; + "EV5 (21164)") + UNAME_MACHINE="alphaev5" ;; + "EV5.6 (21164A)") + UNAME_MACHINE="alphaev56" ;; + "EV5.6 (21164PC)") + UNAME_MACHINE="alphapca56" ;; + "EV5.7 (21164PC)") + UNAME_MACHINE="alphapca57" ;; + "EV6 (21264)") + UNAME_MACHINE="alphaev6" ;; + "EV6.7 (21264A)") + UNAME_MACHINE="alphaev67" ;; + "EV6.8CB (21264C)") + UNAME_MACHINE="alphaev68" ;; + "EV6.8AL (21264B)") + UNAME_MACHINE="alphaev68" ;; + "EV6.8CX (21264D)") + UNAME_MACHINE="alphaev68" ;; + "EV6.9A (21264/EV69A)") + UNAME_MACHINE="alphaev69" ;; + "EV7 (21364)") + UNAME_MACHINE="alphaev7" ;; + "EV7.9 (21364A)") + UNAME_MACHINE="alphaev79" ;; + esac + # A Pn.n version is a patched version. + # A Vn.n version is a released version. + # A Tn.n version is a released field test version. + # A Xn.n version is an unreleased experimental baselevel. + # 1.2 uses "1.2" for uname -r. + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + # Reset EXIT trap before exiting to avoid spurious non-zero exit code. + exitcode=$? + trap '' 0 + exit $exitcode ;; + Alpha\ *:Windows_NT*:*) + # How do we know it's Interix rather than the generic POSIX subsystem? + # Should we change UNAME_MACHINE based on the output of uname instead + # of the specific Alpha model? + echo alpha-pc-interix + exit ;; + 21064:Windows_NT:50:3) + echo alpha-dec-winnt3.5 + exit ;; + Amiga*:UNIX_System_V:4.0:*) + echo m68k-unknown-sysv4 + exit ;; + *:[Aa]miga[Oo][Ss]:*:*) + echo ${UNAME_MACHINE}-unknown-amigaos + exit ;; + *:[Mm]orph[Oo][Ss]:*:*) + echo ${UNAME_MACHINE}-unknown-morphos + exit ;; + *:OS/390:*:*) + echo i370-ibm-openedition + exit ;; + *:z/VM:*:*) + echo s390-ibm-zvmoe + exit ;; + *:OS400:*:*) + echo powerpc-ibm-os400 + exit ;; + arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) + echo arm-acorn-riscix${UNAME_RELEASE} + exit ;; + arm:riscos:*:*|arm:RISCOS:*:*) + echo arm-unknown-riscos + exit ;; + SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) + echo hppa1.1-hitachi-hiuxmpp + exit ;; + Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) + # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. + if test "`(/bin/universe) 2>/dev/null`" = att ; then + echo pyramid-pyramid-sysv3 + else + echo pyramid-pyramid-bsd + fi + exit ;; + NILE*:*:*:dcosx) + echo pyramid-pyramid-svr4 + exit ;; + DRS?6000:unix:4.0:6*) + echo sparc-icl-nx6 + exit ;; + DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) + case `/usr/bin/uname -p` in + sparc) echo sparc-icl-nx7; exit ;; + esac ;; + s390x:SunOS:*:*) + echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + sun4H:SunOS:5.*:*) + echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) + echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) + echo i386-pc-auroraux${UNAME_RELEASE} + exit ;; + i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) + eval $set_cc_for_build + SUN_ARCH="i386" + # If there is a compiler, see if it is configured for 64-bit objects. + # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. + # This test works for both compilers. + if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + SUN_ARCH="x86_64" + fi + fi + echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + sun4*:SunOS:6*:*) + # According to config.sub, this is the proper way to canonicalize + # SunOS6. Hard to guess exactly what SunOS6 will be like, but + # it's likely to be more like Solaris than SunOS4. + echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + sun4*:SunOS:*:*) + case "`/usr/bin/arch -k`" in + Series*|S4*) + UNAME_RELEASE=`uname -v` + ;; + esac + # Japanese Language versions have a version number like `4.1.3-JL'. + echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` + exit ;; + sun3*:SunOS:*:*) + echo m68k-sun-sunos${UNAME_RELEASE} + exit ;; + sun*:*:4.2BSD:*) + UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` + test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 + case "`/bin/arch`" in + sun3) + echo m68k-sun-sunos${UNAME_RELEASE} + ;; + sun4) + echo sparc-sun-sunos${UNAME_RELEASE} + ;; + esac + exit ;; + aushp:SunOS:*:*) + echo sparc-auspex-sunos${UNAME_RELEASE} + exit ;; + # The situation for MiNT is a little confusing. The machine name + # can be virtually everything (everything which is not + # "atarist" or "atariste" at least should have a processor + # > m68000). The system name ranges from "MiNT" over "FreeMiNT" + # to the lowercase version "mint" (or "freemint"). Finally + # the system name "TOS" denotes a system which is actually not + # MiNT. But MiNT is downward compatible to TOS, so this should + # be no problem. + atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit ;; + atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit ;; + *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit ;; + milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) + echo m68k-milan-mint${UNAME_RELEASE} + exit ;; + hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) + echo m68k-hades-mint${UNAME_RELEASE} + exit ;; + *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) + echo m68k-unknown-mint${UNAME_RELEASE} + exit ;; + m68k:machten:*:*) + echo m68k-apple-machten${UNAME_RELEASE} + exit ;; + powerpc:machten:*:*) + echo powerpc-apple-machten${UNAME_RELEASE} + exit ;; + RISC*:Mach:*:*) + echo mips-dec-mach_bsd4.3 + exit ;; + RISC*:ULTRIX:*:*) + echo mips-dec-ultrix${UNAME_RELEASE} + exit ;; + VAX*:ULTRIX*:*:*) + echo vax-dec-ultrix${UNAME_RELEASE} + exit ;; + 2020:CLIX:*:* | 2430:CLIX:*:*) + echo clipper-intergraph-clix${UNAME_RELEASE} + exit ;; + mips:*:*:UMIPS | mips:*:*:RISCos) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c +#ifdef __cplusplus +#include /* for printf() prototype */ + int main (int argc, char *argv[]) { +#else + int main (argc, argv) int argc; char *argv[]; { +#endif + #if defined (host_mips) && defined (MIPSEB) + #if defined (SYSTYPE_SYSV) + printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_SVR4) + printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) + printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); + #endif + #endif + exit (-1); + } +EOF + $CC_FOR_BUILD -o $dummy $dummy.c && + dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` && + SYSTEM_NAME=`$dummy $dummyarg` && + { echo "$SYSTEM_NAME"; exit; } + echo mips-mips-riscos${UNAME_RELEASE} + exit ;; + Motorola:PowerMAX_OS:*:*) + echo powerpc-motorola-powermax + exit ;; + Motorola:*:4.3:PL8-*) + echo powerpc-harris-powermax + exit ;; + Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) + echo powerpc-harris-powermax + exit ;; + Night_Hawk:Power_UNIX:*:*) + echo powerpc-harris-powerunix + exit ;; + m88k:CX/UX:7*:*) + echo m88k-harris-cxux7 + exit ;; + m88k:*:4*:R4*) + echo m88k-motorola-sysv4 + exit ;; + m88k:*:3*:R3*) + echo m88k-motorola-sysv3 + exit ;; + AViiON:dgux:*:*) + # DG/UX returns AViiON for all architectures + UNAME_PROCESSOR=`/usr/bin/uname -p` + if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] + then + if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ + [ ${TARGET_BINARY_INTERFACE}x = x ] + then + echo m88k-dg-dgux${UNAME_RELEASE} + else + echo m88k-dg-dguxbcs${UNAME_RELEASE} + fi + else + echo i586-dg-dgux${UNAME_RELEASE} + fi + exit ;; + M88*:DolphinOS:*:*) # DolphinOS (SVR3) + echo m88k-dolphin-sysv3 + exit ;; + M88*:*:R3*:*) + # Delta 88k system running SVR3 + echo m88k-motorola-sysv3 + exit ;; + XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) + echo m88k-tektronix-sysv3 + exit ;; + Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) + echo m68k-tektronix-bsd + exit ;; + *:IRIX*:*:*) + echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` + exit ;; + ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. + echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id + exit ;; # Note that: echo "'`uname -s`'" gives 'AIX ' + i*86:AIX:*:*) + echo i386-ibm-aix + exit ;; + ia64:AIX:*:*) + if [ -x /usr/bin/oslevel ] ; then + IBM_REV=`/usr/bin/oslevel` + else + IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + fi + echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} + exit ;; + *:AIX:2:3) + if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #include + + main() + { + if (!__power_pc()) + exit(1); + puts("powerpc-ibm-aix3.2.5"); + exit(0); + } +EOF + if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` + then + echo "$SYSTEM_NAME" + else + echo rs6000-ibm-aix3.2.5 + fi + elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then + echo rs6000-ibm-aix3.2.4 + else + echo rs6000-ibm-aix3.2 + fi + exit ;; + *:AIX:*:[4567]) + IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` + if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then + IBM_ARCH=rs6000 + else + IBM_ARCH=powerpc + fi + if [ -x /usr/bin/oslevel ] ; then + IBM_REV=`/usr/bin/oslevel` + else + IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + fi + echo ${IBM_ARCH}-ibm-aix${IBM_REV} + exit ;; + *:AIX:*:*) + echo rs6000-ibm-aix + exit ;; + ibmrt:4.4BSD:*|romp-ibm:BSD:*) + echo romp-ibm-bsd4.4 + exit ;; + ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and + echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to + exit ;; # report: romp-ibm BSD 4.3 + *:BOSX:*:*) + echo rs6000-bull-bosx + exit ;; + DPX/2?00:B.O.S.:*:*) + echo m68k-bull-sysv3 + exit ;; + 9000/[34]??:4.3bsd:1.*:*) + echo m68k-hp-bsd + exit ;; + hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) + echo m68k-hp-bsd4.4 + exit ;; + 9000/[34678]??:HP-UX:*:*) + HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` + case "${UNAME_MACHINE}" in + 9000/31? ) HP_ARCH=m68000 ;; + 9000/[34]?? ) HP_ARCH=m68k ;; + 9000/[678][0-9][0-9]) + if [ -x /usr/bin/getconf ]; then + sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` + sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` + case "${sc_cpu_version}" in + 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 + 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 + 532) # CPU_PA_RISC2_0 + case "${sc_kernel_bits}" in + 32) HP_ARCH="hppa2.0n" ;; + 64) HP_ARCH="hppa2.0w" ;; + '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 + esac ;; + esac + fi + if [ "${HP_ARCH}" = "" ]; then + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + + #define _HPUX_SOURCE + #include + #include + + int main () + { + #if defined(_SC_KERNEL_BITS) + long bits = sysconf(_SC_KERNEL_BITS); + #endif + long cpu = sysconf (_SC_CPU_VERSION); + + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1"); break; + case CPU_PA_RISC2_0: + #if defined(_SC_KERNEL_BITS) + switch (bits) + { + case 64: puts ("hppa2.0w"); break; + case 32: puts ("hppa2.0n"); break; + default: puts ("hppa2.0"); break; + } break; + #else /* !defined(_SC_KERNEL_BITS) */ + puts ("hppa2.0"); break; + #endif + default: puts ("hppa1.0"); break; + } + exit (0); + } +EOF + (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + test -z "$HP_ARCH" && HP_ARCH=hppa + fi ;; + esac + if [ ${HP_ARCH} = "hppa2.0w" ] + then + eval $set_cc_for_build + + # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating + # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler + # generating 64-bit code. GNU and HP use different nomenclature: + # + # $ CC_FOR_BUILD=cc ./config.guess + # => hppa2.0w-hp-hpux11.23 + # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess + # => hppa64-hp-hpux11.23 + + if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | + grep -q __LP64__ + then + HP_ARCH="hppa2.0w" + else + HP_ARCH="hppa64" + fi + fi + echo ${HP_ARCH}-hp-hpux${HPUX_REV} + exit ;; + ia64:HP-UX:*:*) + HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` + echo ia64-hp-hpux${HPUX_REV} + exit ;; + 3050*:HI-UX:*:*) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #include + int + main () + { + long cpu = sysconf (_SC_CPU_VERSION); + /* The order matters, because CPU_IS_HP_MC68K erroneously returns + true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct + results, however. */ + if (CPU_IS_PA_RISC (cpu)) + { + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; + case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; + default: puts ("hppa-hitachi-hiuxwe2"); break; + } + } + else if (CPU_IS_HP_MC68K (cpu)) + puts ("m68k-hitachi-hiuxwe2"); + else puts ("unknown-hitachi-hiuxwe2"); + exit (0); + } +EOF + $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` && + { echo "$SYSTEM_NAME"; exit; } + echo unknown-hitachi-hiuxwe2 + exit ;; + 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) + echo hppa1.1-hp-bsd + exit ;; + 9000/8??:4.3bsd:*:*) + echo hppa1.0-hp-bsd + exit ;; + *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) + echo hppa1.0-hp-mpeix + exit ;; + hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) + echo hppa1.1-hp-osf + exit ;; + hp8??:OSF1:*:*) + echo hppa1.0-hp-osf + exit ;; + i*86:OSF1:*:*) + if [ -x /usr/sbin/sysversion ] ; then + echo ${UNAME_MACHINE}-unknown-osf1mk + else + echo ${UNAME_MACHINE}-unknown-osf1 + fi + exit ;; + parisc*:Lites*:*:*) + echo hppa1.1-hp-lites + exit ;; + C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) + echo c1-convex-bsd + exit ;; + C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi + exit ;; + C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) + echo c34-convex-bsd + exit ;; + C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) + echo c38-convex-bsd + exit ;; + C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) + echo c4-convex-bsd + exit ;; + CRAY*Y-MP:*:*:*) + echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*[A-Z]90:*:*:*) + echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ + | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ + -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ + -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*TS:*:*:*) + echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*T3E:*:*:*) + echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*SV1:*:*:*) + echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + *:UNICOS/mp:*:*) + echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) + FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; + 5000:UNIX_System_V:4.*:*) + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; + i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) + echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} + exit ;; + sparc*:BSD/OS:*:*) + echo sparc-unknown-bsdi${UNAME_RELEASE} + exit ;; + *:BSD/OS:*:*) + echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} + exit ;; + *:FreeBSD:*:*) + UNAME_PROCESSOR=`/usr/bin/uname -p` + case ${UNAME_PROCESSOR} in + amd64) + echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + *) + echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + esac + exit ;; + i*:CYGWIN*:*) + echo ${UNAME_MACHINE}-pc-cygwin + exit ;; + *:MINGW*:*) + echo ${UNAME_MACHINE}-pc-mingw32 + exit ;; + i*:MSYS*:*) + echo ${UNAME_MACHINE}-pc-msys + exit ;; + i*:windows32*:*) + # uname -m includes "-pc" on this system. + echo ${UNAME_MACHINE}-mingw32 + exit ;; + i*:PW*:*) + echo ${UNAME_MACHINE}-pc-pw32 + exit ;; + *:Interix*:*) + case ${UNAME_MACHINE} in + x86) + echo i586-pc-interix${UNAME_RELEASE} + exit ;; + authenticamd | genuineintel | EM64T) + echo x86_64-unknown-interix${UNAME_RELEASE} + exit ;; + IA64) + echo ia64-unknown-interix${UNAME_RELEASE} + exit ;; + esac ;; + [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) + echo i${UNAME_MACHINE}-pc-mks + exit ;; + 8664:Windows_NT:*) + echo x86_64-pc-mks + exit ;; + i*:Windows_NT*:* | Pentium*:Windows_NT*:*) + # How do we know it's Interix rather than the generic POSIX subsystem? + # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we + # UNAME_MACHINE based on the output of uname instead of i386? + echo i586-pc-interix + exit ;; + i*:UWIN*:*) + echo ${UNAME_MACHINE}-pc-uwin + exit ;; + amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) + echo x86_64-unknown-cygwin + exit ;; + p*:CYGWIN*:*) + echo powerpcle-unknown-cygwin + exit ;; + prep*:SunOS:5.*:*) + echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + *:GNU:*:*) + # the GNU system + echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` + exit ;; + *:GNU/*:*:*) + # other systems with GNU libc and userland + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu + exit ;; + i*86:Minix:*:*) + echo ${UNAME_MACHINE}-pc-minix + exit ;; + aarch64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + aarch64_be:Linux:*:*) + UNAME_MACHINE=aarch64_be + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + alpha:Linux:*:*) + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in + EV5) UNAME_MACHINE=alphaev5 ;; + EV56) UNAME_MACHINE=alphaev56 ;; + PCA56) UNAME_MACHINE=alphapca56 ;; + PCA57) UNAME_MACHINE=alphapca56 ;; + EV6) UNAME_MACHINE=alphaev6 ;; + EV67) UNAME_MACHINE=alphaev67 ;; + EV68*) UNAME_MACHINE=alphaev68 ;; + esac + objdump --private-headers /bin/sh | grep -q ld.so.1 + if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi + echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} + exit ;; + arm*:Linux:*:*) + eval $set_cc_for_build + if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_EABI__ + then + echo ${UNAME_MACHINE}-unknown-linux-gnu + else + if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_PCS_VFP + then + echo ${UNAME_MACHINE}-unknown-linux-gnueabi + else + echo ${UNAME_MACHINE}-unknown-linux-gnueabihf + fi + fi + exit ;; + avr32*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + cris:Linux:*:*) + echo ${UNAME_MACHINE}-axis-linux-gnu + exit ;; + crisv32:Linux:*:*) + echo ${UNAME_MACHINE}-axis-linux-gnu + exit ;; + frv:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + hexagon:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + i*86:Linux:*:*) + LIBC=gnu + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #ifdef __dietlibc__ + LIBC=dietlibc + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` + echo "${UNAME_MACHINE}-pc-linux-${LIBC}" + exit ;; + ia64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + m32r*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + m68*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + mips:Linux:*:* | mips64:Linux:*:*) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #undef CPU + #undef ${UNAME_MACHINE} + #undef ${UNAME_MACHINE}el + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) + CPU=${UNAME_MACHINE}el + #else + #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) + CPU=${UNAME_MACHINE} + #else + CPU= + #endif + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` + test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } + ;; + or32:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + padre:Linux:*:*) + echo sparc-unknown-linux-gnu + exit ;; + parisc64:Linux:*:* | hppa64:Linux:*:*) + echo hppa64-unknown-linux-gnu + exit ;; + parisc:Linux:*:* | hppa:Linux:*:*) + # Look for CPU level + case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in + PA7*) echo hppa1.1-unknown-linux-gnu ;; + PA8*) echo hppa2.0-unknown-linux-gnu ;; + *) echo hppa-unknown-linux-gnu ;; + esac + exit ;; + ppc64:Linux:*:*) + echo powerpc64-unknown-linux-gnu + exit ;; + ppc:Linux:*:*) + echo powerpc-unknown-linux-gnu + exit ;; + s390:Linux:*:* | s390x:Linux:*:*) + echo ${UNAME_MACHINE}-ibm-linux + exit ;; + sh64*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + sh*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + sparc:Linux:*:* | sparc64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + tile*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + vax:Linux:*:*) + echo ${UNAME_MACHINE}-dec-linux-gnu + exit ;; + x86_64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + xtensa*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + i*86:DYNIX/ptx:4*:*) + # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. + # earlier versions are messed up and put the nodename in both + # sysname and nodename. + echo i386-sequent-sysv4 + exit ;; + i*86:UNIX_SV:4.2MP:2.*) + # Unixware is an offshoot of SVR4, but it has its own version + # number series starting with 2... + # I am not positive that other SVR4 systems won't match this, + # I just have to hope. -- rms. + # Use sysv4.2uw... so that sysv4* matches it. + echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} + exit ;; + i*86:OS/2:*:*) + # If we were able to find `uname', then EMX Unix compatibility + # is probably installed. + echo ${UNAME_MACHINE}-pc-os2-emx + exit ;; + i*86:XTS-300:*:STOP) + echo ${UNAME_MACHINE}-unknown-stop + exit ;; + i*86:atheos:*:*) + echo ${UNAME_MACHINE}-unknown-atheos + exit ;; + i*86:syllable:*:*) + echo ${UNAME_MACHINE}-pc-syllable + exit ;; + i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) + echo i386-unknown-lynxos${UNAME_RELEASE} + exit ;; + i*86:*DOS:*:*) + echo ${UNAME_MACHINE}-pc-msdosdjgpp + exit ;; + i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) + UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` + if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then + echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} + else + echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} + fi + exit ;; + i*86:*:5:[678]*) + # UnixWare 7.x, OpenUNIX and OpenServer 6. + case `/bin/uname -X | grep "^Machine"` in + *486*) UNAME_MACHINE=i486 ;; + *Pentium) UNAME_MACHINE=i586 ;; + *Pent*|*Celeron) UNAME_MACHINE=i686 ;; + esac + echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} + exit ;; + i*86:*:3.2:*) + if test -f /usr/options/cb.name; then + UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then + UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` + (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 + (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ + && UNAME_MACHINE=i586 + (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ + && UNAME_MACHINE=i686 + (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ + && UNAME_MACHINE=i686 + echo ${UNAME_MACHINE}-pc-sco$UNAME_REL + else + echo ${UNAME_MACHINE}-pc-sysv32 + fi + exit ;; + pc:*:*:*) + # Left here for compatibility: + # uname -m prints for DJGPP always 'pc', but it prints nothing about + # the processor, so we play safe by assuming i586. + # Note: whatever this is, it MUST be the same as what config.sub + # prints for the "djgpp" host, or else GDB configury will decide that + # this is a cross-build. + echo i586-pc-msdosdjgpp + exit ;; + Intel:Mach:3*:*) + echo i386-pc-mach3 + exit ;; + paragon:*:*:*) + echo i860-intel-osf1 + exit ;; + i860:*:4.*:*) # i860-SVR4 + if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then + echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 + else # Add other i860-SVR4 vendors below as they are discovered. + echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 + fi + exit ;; + mini*:CTIX:SYS*5:*) + # "miniframe" + echo m68010-convergent-sysv + exit ;; + mc68k:UNIX:SYSTEM5:3.51m) + echo m68k-convergent-sysv + exit ;; + M680?0:D-NIX:5.3:*) + echo m68k-diab-dnix + exit ;; + M68*:*:R3V[5678]*:*) + test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; + 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) + OS_REL='' + test -r /etc/.relid \ + && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; + 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4; exit; } ;; + NCR*:*:4.2:* | MPRAS*:*:4.2:*) + OS_REL='.3' + test -r /etc/.relid \ + && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && { echo i586-ncr-sysv4.3${OS_REL}; exit; } + /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ + && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; + m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) + echo m68k-unknown-lynxos${UNAME_RELEASE} + exit ;; + mc68030:UNIX_System_V:4.*:*) + echo m68k-atari-sysv4 + exit ;; + TSUNAMI:LynxOS:2.*:*) + echo sparc-unknown-lynxos${UNAME_RELEASE} + exit ;; + rs6000:LynxOS:2.*:*) + echo rs6000-unknown-lynxos${UNAME_RELEASE} + exit ;; + PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) + echo powerpc-unknown-lynxos${UNAME_RELEASE} + exit ;; + SM[BE]S:UNIX_SV:*:*) + echo mips-dde-sysv${UNAME_RELEASE} + exit ;; + RM*:ReliantUNIX-*:*:*) + echo mips-sni-sysv4 + exit ;; + RM*:SINIX-*:*:*) + echo mips-sni-sysv4 + exit ;; + *:SINIX-*:*:*) + if uname -p 2>/dev/null >/dev/null ; then + UNAME_MACHINE=`(uname -p) 2>/dev/null` + echo ${UNAME_MACHINE}-sni-sysv4 + else + echo ns32k-sni-sysv + fi + exit ;; + PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort + # says + echo i586-unisys-sysv4 + exit ;; + *:UNIX_System_V:4*:FTX*) + # From Gerald Hewes . + # How about differentiating between stratus architectures? -djm + echo hppa1.1-stratus-sysv4 + exit ;; + *:*:*:FTX*) + # From seanf@swdc.stratus.com. + echo i860-stratus-sysv4 + exit ;; + i*86:VOS:*:*) + # From Paul.Green@stratus.com. + echo ${UNAME_MACHINE}-stratus-vos + exit ;; + *:VOS:*:*) + # From Paul.Green@stratus.com. + echo hppa1.1-stratus-vos + exit ;; + mc68*:A/UX:*:*) + echo m68k-apple-aux${UNAME_RELEASE} + exit ;; + news*:NEWS-OS:6*:*) + echo mips-sony-newsos6 + exit ;; + R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) + if [ -d /usr/nec ]; then + echo mips-nec-sysv${UNAME_RELEASE} + else + echo mips-unknown-sysv${UNAME_RELEASE} + fi + exit ;; + BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. + echo powerpc-be-beos + exit ;; + BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. + echo powerpc-apple-beos + exit ;; + BePC:BeOS:*:*) # BeOS running on Intel PC compatible. + echo i586-pc-beos + exit ;; + BePC:Haiku:*:*) # Haiku running on Intel PC compatible. + echo i586-pc-haiku + exit ;; + SX-4:SUPER-UX:*:*) + echo sx4-nec-superux${UNAME_RELEASE} + exit ;; + SX-5:SUPER-UX:*:*) + echo sx5-nec-superux${UNAME_RELEASE} + exit ;; + SX-6:SUPER-UX:*:*) + echo sx6-nec-superux${UNAME_RELEASE} + exit ;; + SX-7:SUPER-UX:*:*) + echo sx7-nec-superux${UNAME_RELEASE} + exit ;; + SX-8:SUPER-UX:*:*) + echo sx8-nec-superux${UNAME_RELEASE} + exit ;; + SX-8R:SUPER-UX:*:*) + echo sx8r-nec-superux${UNAME_RELEASE} + exit ;; + Power*:Rhapsody:*:*) + echo powerpc-apple-rhapsody${UNAME_RELEASE} + exit ;; + *:Rhapsody:*:*) + echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} + exit ;; + *:Darwin:*:*) + UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown + case $UNAME_PROCESSOR in + i386) + eval $set_cc_for_build + if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + UNAME_PROCESSOR="x86_64" + fi + fi ;; + unknown) UNAME_PROCESSOR=powerpc ;; + esac + echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} + exit ;; + *:procnto*:*:* | *:QNX:[0123456789]*:*) + UNAME_PROCESSOR=`uname -p` + if test "$UNAME_PROCESSOR" = "x86"; then + UNAME_PROCESSOR=i386 + UNAME_MACHINE=pc + fi + echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} + exit ;; + *:QNX:*:4*) + echo i386-pc-qnx + exit ;; + NEO-?:NONSTOP_KERNEL:*:*) + echo neo-tandem-nsk${UNAME_RELEASE} + exit ;; + NSE-?:NONSTOP_KERNEL:*:*) + echo nse-tandem-nsk${UNAME_RELEASE} + exit ;; + NSR-?:NONSTOP_KERNEL:*:*) + echo nsr-tandem-nsk${UNAME_RELEASE} + exit ;; + *:NonStop-UX:*:*) + echo mips-compaq-nonstopux + exit ;; + BS2000:POSIX*:*:*) + echo bs2000-siemens-sysv + exit ;; + DS/*:UNIX_System_V:*:*) + echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} + exit ;; + *:Plan9:*:*) + # "uname -m" is not consistent, so use $cputype instead. 386 + # is converted to i386 for consistency with other x86 + # operating systems. + if test "$cputype" = "386"; then + UNAME_MACHINE=i386 + else + UNAME_MACHINE="$cputype" + fi + echo ${UNAME_MACHINE}-unknown-plan9 + exit ;; + *:TOPS-10:*:*) + echo pdp10-unknown-tops10 + exit ;; + *:TENEX:*:*) + echo pdp10-unknown-tenex + exit ;; + KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) + echo pdp10-dec-tops20 + exit ;; + XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) + echo pdp10-xkl-tops20 + exit ;; + *:TOPS-20:*:*) + echo pdp10-unknown-tops20 + exit ;; + *:ITS:*:*) + echo pdp10-unknown-its + exit ;; + SEI:*:*:SEIUX) + echo mips-sei-seiux${UNAME_RELEASE} + exit ;; + *:DragonFly:*:*) + echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + exit ;; + *:*VMS:*:*) + UNAME_MACHINE=`(uname -p) 2>/dev/null` + case "${UNAME_MACHINE}" in + A*) echo alpha-dec-vms ; exit ;; + I*) echo ia64-dec-vms ; exit ;; + V*) echo vax-dec-vms ; exit ;; + esac ;; + *:XENIX:*:SysV) + echo i386-pc-xenix + exit ;; + i*86:skyos:*:*) + echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' + exit ;; + i*86:rdos:*:*) + echo ${UNAME_MACHINE}-pc-rdos + exit ;; + i*86:AROS:*:*) + echo ${UNAME_MACHINE}-pc-aros + exit ;; + x86_64:VMkernel:*:*) + echo ${UNAME_MACHINE}-unknown-esx + exit ;; +esac + +#echo '(No uname command or uname output not recognized.)' 1>&2 +#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 + +eval $set_cc_for_build +cat >$dummy.c < +# include +#endif +main () +{ +#if defined (sony) +#if defined (MIPSEB) + /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, + I don't know.... */ + printf ("mips-sony-bsd\n"); exit (0); +#else +#include + printf ("m68k-sony-newsos%s\n", +#ifdef NEWSOS4 + "4" +#else + "" +#endif + ); exit (0); +#endif +#endif + +#if defined (__arm) && defined (__acorn) && defined (__unix) + printf ("arm-acorn-riscix\n"); exit (0); +#endif + +#if defined (hp300) && !defined (hpux) + printf ("m68k-hp-bsd\n"); exit (0); +#endif + +#if defined (NeXT) +#if !defined (__ARCHITECTURE__) +#define __ARCHITECTURE__ "m68k" +#endif + int version; + version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; + if (version < 4) + printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); + else + printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); + exit (0); +#endif + +#if defined (MULTIMAX) || defined (n16) +#if defined (UMAXV) + printf ("ns32k-encore-sysv\n"); exit (0); +#else +#if defined (CMU) + printf ("ns32k-encore-mach\n"); exit (0); +#else + printf ("ns32k-encore-bsd\n"); exit (0); +#endif +#endif +#endif + +#if defined (__386BSD__) + printf ("i386-pc-bsd\n"); exit (0); +#endif + +#if defined (sequent) +#if defined (i386) + printf ("i386-sequent-dynix\n"); exit (0); +#endif +#if defined (ns32000) + printf ("ns32k-sequent-dynix\n"); exit (0); +#endif +#endif + +#if defined (_SEQUENT_) + struct utsname un; + + uname(&un); + + if (strncmp(un.version, "V2", 2) == 0) { + printf ("i386-sequent-ptx2\n"); exit (0); + } + if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ + printf ("i386-sequent-ptx1\n"); exit (0); + } + printf ("i386-sequent-ptx\n"); exit (0); + +#endif + +#if defined (vax) +# if !defined (ultrix) +# include +# if defined (BSD) +# if BSD == 43 + printf ("vax-dec-bsd4.3\n"); exit (0); +# else +# if BSD == 199006 + printf ("vax-dec-bsd4.3reno\n"); exit (0); +# else + printf ("vax-dec-bsd\n"); exit (0); +# endif +# endif +# else + printf ("vax-dec-bsd\n"); exit (0); +# endif +# else + printf ("vax-dec-ultrix\n"); exit (0); +# endif +#endif + +#if defined (alliant) && defined (i860) + printf ("i860-alliant-bsd\n"); exit (0); +#endif + + exit (1); +} +EOF + +$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` && + { echo "$SYSTEM_NAME"; exit; } + +# Apollos put the system type in the environment. + +test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; } + +# Convex versions that predate uname can use getsysinfo(1) + +if [ -x /usr/convex/getsysinfo ] +then + case `getsysinfo -f cpu_type` in + c1*) + echo c1-convex-bsd + exit ;; + c2*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi + exit ;; + c34*) + echo c34-convex-bsd + exit ;; + c38*) + echo c38-convex-bsd + exit ;; + c4*) + echo c4-convex-bsd + exit ;; + esac +fi + +cat >&2 < in order to provide the needed +information to handle your system. + +config.guess timestamp = $timestamp + +uname -m = `(uname -m) 2>/dev/null || echo unknown` +uname -r = `(uname -r) 2>/dev/null || echo unknown` +uname -s = `(uname -s) 2>/dev/null || echo unknown` +uname -v = `(uname -v) 2>/dev/null || echo unknown` + +/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` +/bin/uname -X = `(/bin/uname -X) 2>/dev/null` + +hostinfo = `(hostinfo) 2>/dev/null` +/bin/universe = `(/bin/universe) 2>/dev/null` +/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` +/bin/arch = `(/bin/arch) 2>/dev/null` +/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` +/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` + +UNAME_MACHINE = ${UNAME_MACHINE} +UNAME_RELEASE = ${UNAME_RELEASE} +UNAME_SYSTEM = ${UNAME_SYSTEM} +UNAME_VERSION = ${UNAME_VERSION} +EOF + +exit 1 + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "timestamp='" +# time-stamp-format: "%:y-%02m-%02d" +# time-stamp-end: "'" +# End: + diff --git a/sources b/sources index e69de29..c3dbb47 100644 --- a/sources +++ b/sources @@ -0,0 +1 @@ +SHA512 (tripwire-open-source-2.4.3.7.tar.gz) = 541138f4a4c3a4227f31de6607503d305f0d893bdd5d24928d619d3a25bb8fe7061a45c041992ace957b976b834b5f4212b5c727eee1cbc76ddb2e2c52aeafbd diff --git a/tripwire-2.4.2.2-gcc47.patch b/tripwire-2.4.2.2-gcc47.patch new file mode 100644 index 0000000..6b25def --- /dev/null +++ b/tripwire-2.4.2.2-gcc47.patch @@ -0,0 +1,24 @@ +diff -up tripwire-2.4.2.2-src/src/cryptlib/algebra.h.gcc47 tripwire-2.4.2.2-src/src/cryptlib/algebra.h +--- tripwire-2.4.2.2-src/src/cryptlib/algebra.h.gcc47 2011-11-21 11:06:56.000000000 -0500 ++++ tripwire-2.4.2.2-src/src/cryptlib/algebra.h 2012-03-05 15:17:32.733038609 -0500 +@@ -273,7 +273,7 @@ template T AbstractEuclideanDo + Element g[3]={b, a}; + unsigned int i0=0, i1=1, i2=2; + +- while (!Equal(g[i1], this->Zero())) ++ while (!this->Equal(g[i1], this->Zero())) + { + g[i2] = Mod(g[i0], g[i1]); + unsigned int t = i0; i0 = i1; i1 = i2; i2 = t; +diff -up tripwire-2.4.2.2-src/src/twadmin/twadmincl.cpp.gcc47 tripwire-2.4.2.2-src/src/twadmin/twadmincl.cpp +--- tripwire-2.4.2.2-src/src/twadmin/twadmincl.cpp.gcc47 2012-03-05 15:21:21.811528228 -0500 ++++ tripwire-2.4.2.2-src/src/twadmin/twadmincl.cpp 2012-03-05 15:21:29.140447912 -0500 +@@ -35,6 +35,8 @@ + + #include "stdtwadmin.h" + ++#include ++ + #include "twadmincl.h" + #include "twadminstrings.h" + #include "keygeneration.h" diff --git a/tripwire-F21-build.patch b/tripwire-F21-build.patch new file mode 100644 index 0000000..144ead4 --- /dev/null +++ b/tripwire-F21-build.patch @@ -0,0 +1,12 @@ +diff -up tripwire-2.4.2.2-src/src/core/archive.cpp.orig tripwire-2.4.2.2-src/src/core/archive.cpp +--- tripwire-2.4.2.2-src/src/core/archive.cpp.orig 2011-11-21 08:06:56.000000000 -0800 ++++ tripwire-2.4.2.2-src/src/core/archive.cpp 2014-10-16 07:39:44.249052618 -0700 +@@ -883,7 +883,7 @@ void cLockedTemporaryFileArchive::OpenRe + strTempFile += _T("twtempXXXXXX"); + iFSServices::GetInstance()->MakeTempFilename( strTempFile ); + } +- catch( eFSServices& e) ++ catch( eFSServices& es) + { + TSTRING errStr = TSS_GetString( cCore, core::STR_BAD_TEMPDIRECTORY ); + eArchiveOpen e(strTempFile, errStr); diff --git a/tripwire-narrowing.patch b/tripwire-narrowing.patch new file mode 100644 index 0000000..92800e7 --- /dev/null +++ b/tripwire-narrowing.patch @@ -0,0 +1,65 @@ +diff -rup a/tripwire-open-source-2.4.3.0/src/twparser/yyparse.cpp b/tripwire-open-source-2.4.3.0/src/twparser/yyparse.cpp +--- a/tripwire-open-source-2.4.3.0/src/twparser/yyparse.cpp 2016-04-12 20:18:49.000000000 +0200 ++++ b/tripwire-open-source-2.4.3.0/src/twparser/yyparse.cpp 2016-04-23 11:57:38.548102229 +0200 +@@ -176,25 +176,25 @@ yyNamedType yyTokenTypes[] = { + #endif + static short yydef[] = { + +- 65535, 65531, 9, 53, 65527, 3, 65523, 10, 7, 65519, +- 5, 4, 65515, 50, 65509, 8, 65505, -35 ++ (short) 65535, (short) 65531, 9, 53, (short) 65527, 3, (short) 65523, 10, 7, (short) 65519, ++ 5, 4, (short) 65515, 50, (short) 65509, 8, (short) 65505, -35 + }; + static short yyex[] = { + +- 0, 52, 65535, 1, 288, 18, 65535, 13, 0, 0, +- 65535, 1, 259, 49, 65535, 1, 262, 6, 65535, 1, +- 275, 52, 276, 52, 65535, 1, 276, 51, 65535, 1, +- 264, 52, 65535, 1, 276, 52, 65535, 1 ++ 0, 52, (short) 65535, 1, 288, 18, (short) 65535, 13, 0, 0, ++ (short) 65535, 1, 259, 49, (short) 65535, 1, 262, 6, (short) 65535, 1, ++ 275, 52, 276, 52, (short) 65535, 1, 276, 51, (short) 65535, 1, ++ 264, 52, (short) 65535, 1, 276, 52, (short) 65535, 1 + }; + static short yyact[] = { + +- 65499, 65534, 65455, 65490, 65491, 65497, 65498, 65495, 65496, 65489, ++ (short) 65499, (short) 65534, (short) 65455, (short) 65490, (short) 65491, (short) 65497, (short) 65498, (short) 65495, (short) 65496, (short) 65489, + 289, 278, 277, 274, 273, 268, 267, 262, 261, 258, +- 65487, 65503, 65490, 267, 266, 261, 65504, 258, 65487, 65490, +- 267, 261, 65505, 272, 65506, 288, 65507, 288, 65461, 262, +- 65460, 262, 65459, 262, 65482, 261, 65489, 289, 65511, 284, +- 65512, 288, 65522, 257, 65513, 259, 65479, 259, 65514, 258, +- 65462, 263, 65470, 275, 65474, 259, 65464, 276, 65463, 264, -1 ++ (short) 65487, (short) 65503, (short) 65490, 267, 266, 261, (short) 65504, 258, (short) 65487, (short) 65490, ++ 267, 261, (short) 65505, 272, (short) 65506, 288, (short) 65507, 288, (short) 65461, 262, ++ (short) 65460, 262, (short) 65459, 262, (short) 65482, 261, (short) 65489, 289, (short) 65511, 284, ++ (short) 65512, 288, (short) 65522, 257, (short) 65513, 259, (short) 65479, 259, (short) 65514, 258, ++ (short) 65462, 263, (short) 65470, 275, (short) 65474, 259, (short) 65464, 276, (short) 65463, 264, -1 + }; + static short yypact[] = { + +@@ -206,15 +206,15 @@ static short yypact[] = { + }; + static short yygo[] = { + +- 65471, 65476, 65477, 13, 65529, 65515, 65509, 21, 65473, 65472, +- 65492, 44, 65508, 65478, 65483, 65483, 65483, 65483, 65480, 65483, +- 65480, 65481, 65480, 65481, 65465, 65466, 65467, 65484, 40, 39, ++ (short) 65471, (short) 65476, (short) 65477, 13, (short) 65529, (short) 65515, (short) 65509, 21, (short) 65473, (short) 65472, ++ (short) 65492, 44, (short) 65508, (short) 65478, (short) 65483, (short) 65483, (short) 65483, (short) 65483, (short) 65480, (short) 65483, ++ (short) 65480, (short) 65481, (short) 65480, (short) 65481, (short) 65465, (short) 65466, (short) 65467, (short) 65484, 40, 39, + 38, 37, 36, 24, 21, 15, 13, 11, 8, 7, +- 2, 65520, 65524, 65527, 65528, 65533, 32, 30, 28, 23, +- 65525, 65488, 65510, 65494, 31, 65485, 65486, 65493, 29, 10, +- 65468, 65469, 24, 65530, 65526, 65531, 65521, 65517, 65452, 65458, +- 17, 16, 12, 65532, 65457, 65456, 3, 65502, 65501, 65500, +- 65454, 65453, 65519, 65523, 65516, 65518, 65475, -1 ++ 2, (short) 65520, (short) 65524, (short) 65527, (short) 65528, (short) 65533, 32, 30, 28, 23, ++ (short) 65525, (short) 65488, (short) 65510, (short) 65494, 31, (short) 65485, (short) 65486, (short) 65493, 29, 10, ++ (short) 65468, (short) 65469, 24, (short) 65530, (short) 65526, (short) 65531, (short) 65521, (short) 65517, (short) 65452, (short) 65458, ++ 17, 16, 12, (short) 65532, (short) 65457, (short) 65456, 3, (short) 65502, (short) 65501, (short) 65500, ++ (short) 65454, (short) 65453, (short) 65519, (short) 65523, (short) 65516, (short) 65518, (short) 65475, -1 + }; + static short yypgo[] = { + diff --git a/tripwire-setup-keyfiles.in b/tripwire-setup-keyfiles.in new file mode 100644 index 0000000..66ee0fa --- /dev/null +++ b/tripwire-setup-keyfiles.in @@ -0,0 +1,329 @@ +#!/bin/sh + +######################################################################## +######################################################################## +## +## Tripwire(R) 2.3 for LINUX(R) Post-RPM installation script +## +## Copyleft information contained in footer +## +######################################################################## +######################################################################## + +##======================================================= +## Setup +##======================================================= + +# We can assume all the correct tools are in place because the +# RPM installed, didn't it? + +##------------------------------------------------------- +## Set HOST_NAME variable +##------------------------------------------------------- +HOST_NAME='localhost' +if uname -n > /dev/null 2> /dev/null ; then + HOST_NAME=`uname -n` +fi + +##------------------------------------------------------- +## Program variables - edited by RPM during initial install +##------------------------------------------------------- + +# Site Passphrase variable +TW_SITE_PASS="" + +# Complete path to site key +SITE_KEY="@sysconfdir@/tripwire/site.key" + +# Local Passphrase variable +TW_LOCAL_PASS="" + +# Complete path to local key +LOCAL_KEY="@sysconfdir@/tripwire/${HOST_NAME}-local.key" + +# If clobber==true, overwrite files; if false, do not overwrite files. +CLOBBER="false" + +# If prompt==true, ask for confirmation before continuing with install. +PROMPT="true" + +# Name of twadmin executeable +TWADMIN="twadmin" + +# Path to twadmin executeable +TWADMPATH=@sbindir@ + +# Path to configuration directory +CONF_PATH="@sysconfdir@/tripwire" + +# Name of clear text policy file +TXT_POL=$CONF_PATH/twpol.txt + +# Name of clear text configuration file +TXT_CFG=$CONF_PATH/twcfg.txt + +# Name of encrypted configuration file +CONFIG_FILE=$CONF_PATH/tw.cfg + +# Path of the final Tripwire policy file (signed) +SIGNED_POL=`grep POLFILE $TXT_CFG | sed -e 's/^.*=\(.*\)/\1/'` + + +##======================================================= +## Create Key Files +##======================================================= + +##------------------------------------------------------- +## If user has to enter a passphrase, give some +## advice about what is appropriate. +##------------------------------------------------------- + +if [ -z "$TW_SITE_PASS" ] || [ -z "$TW_LOCAL_PASS" ]; then +cat << END_OF_TEXT + +---------------------------------------------- +The Tripwire site and local passphrases are used to sign a variety of +files, such as the configuration, policy, and database files. + +Passphrases should be at least 8 characters in length and contain both +letters and numbers. + +See the Tripwire manual for more information. +END_OF_TEXT +fi + +##======================================================= +## Generate keys. +##======================================================= + +echo +echo "----------------------------------------------" +echo "Creating key files..." + +##------------------------------------------------------- +## Site key file. +##------------------------------------------------------- + +# If clobber is true, and prompting is off (unattended operation) +# and the key file already exists, remove it. Otherwise twadmin +# will prompt with an "are you sure?" message. + +if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$SITE_KEY" ] ; then + rm -f "$SITE_KEY" +fi + +if [ -f "$SITE_KEY" ] && [ "$CLOBBER" = "false" ] ; then + echo "The site key file \"$SITE_KEY\"" + echo 'exists and will not be overwritten.' +else + cmdargs="--generate-keys --site-keyfile \"$SITE_KEY\"" + if [ -n "$TW_SITE_PASS" ] ; then + cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" + fi + eval "\"$TWADMPATH/$TWADMIN\" $cmdargs" + if [ $? -ne 0 ] ; then + echo "Error: site key generation failed" + exit 1 + else chmod 640 "$SITE_KEY" + fi +fi + +##------------------------------------------------------- +## Local key file. +##------------------------------------------------------- + +# If clobber is true, and prompting is off (unattended operation) +# and the key file already exists, remove it. Otherwise twadmin +# will prompt with an "are you sure?" message. + +if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$LOCAL_KEY" ] ; then + rm -f "$LOCAL_KEY" +fi + +if [ -f "$LOCAL_KEY" ] && [ "$CLOBBER" = "false" ] ; then + echo "The local key file \"$LOCAL_KEY\"" + echo 'exists and will not be overwritten.' +else + cmdargs="--generate-keys --local-keyfile \"$LOCAL_KEY\"" + if [ -n "$TW_LOCAL_PASS" ] ; then + cmdargs="$cmdargs --local-passphrase \"$TW_LOCAL_PASS\"" + fi + eval "\"$TWADMPATH/$TWADMIN\" $cmdargs" + if [ $? -ne 0 ] ; then + echo "Error: local key generation failed" + exit 1 + else chmod 640 "$LOCAL_KEY" + fi +fi + +##======================================================= +## Sign the Configuration File +##======================================================= + +echo +echo "----------------------------------------------" +echo "Signing configuration file..." + +##------------------------------------------------------- +## If noclobber, then backup any existing config file. +##------------------------------------------------------- + +if [ "$CLOBBER" = "false" ] && [ -s "$CONFIG_FILE" ] ; then + backup="${CONFIG_FILE}.$$.bak" + echo "Backing up $CONFIG_FILE" + echo " to $backup" + `mv "$CONFIG_FILE" "$backup"` + if [ $? -ne 0 ] ; then + echo "Error: backup of configuration file failed." + exit 1 + fi +fi + +##------------------------------------------------------- +## Build command line. +##------------------------------------------------------- + +cmdargs="--create-cfgfile" +cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\"" +cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\"" +if [ -n "$TW_SITE_PASS" ] ; then + cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" +fi + +##------------------------------------------------------- +## Sign the file. +##------------------------------------------------------- + +eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_CFG\"" +if [ $? -ne 0 ] ; then + echo "Error: signing of configuration file failed." + exit 1 +fi + +# Set the rights properly +chmod 640 "$CONFIG_FILE" + +##------------------------------------------------------- +## We keep the cleartext version around. +##------------------------------------------------------- + +cat << END_OF_TEXT + +A clear-text version of the Tripwire configuration file: +$TXT_CFG +has been preserved for your inspection. It is recommended that you +move this file to a secure location and/or encrypt it in place (using a +tool such as GPG, for example) after you have examined it. + +END_OF_TEXT + +##======================================================= +## Sign tripwire policy file. +##======================================================= + +echo +echo "----------------------------------------------" +echo "Signing policy file..." + +##------------------------------------------------------- +## If noclobber, then backup any existing policy file. +##------------------------------------------------------- + +if [ "$CLOBBER" = "false" ] && [ -s "$POLICY_FILE" ] ; then + backup="${POLICY_FILE}.$$.bak" + echo "Backing up $POLICY_FILE" + echo " to $backup" + mv "$POLICY_FILE" "$backup" + if [ $? -ne 0 ] ; then + echo "Error: backup of policy file failed." + exit 1 + fi +fi + +##------------------------------------------------------- +## Build command line. +##------------------------------------------------------- + +cmdargs="--create-polfile" +cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\"" +cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\"" +if [ -n "$TW_SITE_PASS" ] ; then + cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" +fi + +##------------------------------------------------------- +## Sign the file. +##------------------------------------------------------- + +eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_POL\"" +if [ $? -ne 0 ] ; then + echo "Error: signing of policy file failed." + exit 1 +fi + +# Set the proper rights on the newly signed policy file. +chmod 0640 "$SIGNED_POL" + +##------------------------------------------------------- +## We keep the cleartext version around. +##------------------------------------------------------- + +cat << END_OF_TEXT + +A clear-text version of the Tripwire policy file: +$TXT_POL +has been preserved for your inspection. This implements a minimal +policy, intended only to test essential Tripwire functionality. You +should edit the policy file to describe your system, and then use +twadmin to generate a new signed copy of the Tripwire policy. + +Once you have a satisfactory Tripwire policy file, you should move the +clear-text version to a secure location and/or encrypt it in place +(using a tool such as GPG, for example). + +Now run "tripwire --init" to enter Database Initialization Mode. This +reads the policy file, generates a database based on its contents, and +then cryptographically signs the resulting database. Options can be +entered on the command line to specify which policy, configuration, and +key files are used to create the database. The filename for the +database can be specified as well. If no options are specified, the +default values from the current configuration file are used. + +END_OF_TEXT + +exit 0 + +######################################################################## +######################################################################## +# +# TRIPWIRE GPL NOTICES +# +# The developer of the original code and/or files is Tripwire, Inc. +# Portions created by Tripwire, Inc. are copyright 2000 Tripwire, Inc. +# Tripwire is a registered trademark of Tripwire, Inc. All rights reserved. +# +# This program is free software. The contents of this file are subject to +# the terms of the GNU General Public License as published by the Free +# Software Foundation; either version 2 of the License, or (at your option) +# any later version. You may redistribute it and/or modify it only in +# compliance with the GNU General Public License. +# +# This program is distributed in the hope that it will be useful. However, +# this program is distributed "AS-IS" WITHOUT ANY WARRANTY; INCLUDING THE +# IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +# Please see the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Nothing in the GNU General Public License or any other license to use the +# code or files shall permit you to use Tripwire's trademarks, +# service marks, or other intellectual property without Tripwire's +# prior written consent. +# +# If you have any questions, please contact Tripwire, Inc. at either +# info@tripwire.org or www.tripwire.org. +# +######################################################################## +######################################################################## diff --git a/tripwire-siggen-man8.patch b/tripwire-siggen-man8.patch new file mode 100644 index 0000000..a67a430 --- /dev/null +++ b/tripwire-siggen-man8.patch @@ -0,0 +1,47 @@ +diff -Nur tripwire-2.3.1-2/man/man8/siggen.8 tripwire-2.3.1-2.new/man/man8/siggen.8 +--- tripwire-2.3.1-2/man/man8/siggen.8 2001-03-04 00:30:29.000000000 +0000 ++++ tripwire-2.3.1-2.new/man/man8/siggen.8 2004-02-19 01:18:43.000000000 +0000 +@@ -2,28 +2,25 @@ + .\" Do not move or remove previous line. + .\" Used by some man commands to know that tbl should be used. + .nh +-.TH SIGGEN 8 "1 July 2000" ++.TH SIGGEN 8 "19 Feb 2004" + .SH NAME + siggen \- signature gathering routine for Tripwire + .SH SYNOPSIS + .B siggen +-.RI "[ " "options..." " ]" +-.IR file1 " [ " "file2..." " ] " +- +-.I Options: +-.RS +0.5i +-.TS +-; +-lbw(0.8i) lb. +--t --terse +--h --hexadecimal +--a --all +--C --CRC32 +--M --MD5 +--S --SHA +--H --HAVAL +-.TE +-.RE ++[ ++.BR -t | --terse ++] [ ++.BR -h | --hexadecimal ++] [ ++.BR -a | --all ++] [ ++.BR -C | --CRC32 ++] [ ++.BR -S | --SHA ++] [ ++.BR -h | --HAVAL ++] ++.IR file1 ,,, + .SH DESCRIPTION + .PP + \fBsiggen\fP is a utility that displays the hash function values diff --git a/tripwire.cron.in b/tripwire.cron.in new file mode 100644 index 0000000..b8c1c8f --- /dev/null +++ b/tripwire.cron.in @@ -0,0 +1,13 @@ +#!/bin/sh +HOST_NAME=`uname -n` +if [ ! -e @vardir@/lib/tripwire/${HOST_NAME}.twd ] ; then + echo "**** Error: Tripwire database for ${HOST_NAME} not found. ****" + echo "**** Run \"@sysconfdir@/tripwire/twinstall.sh\" and/or \"tripwire --init\". ****" +elif [ -f @sysconfdir@/tripwire/tw.cfg ]; then + # if GLOBALEMAIL is configured, use it rather than cron mail + if [ -n "`@sbindir@/twadmin -m f | sed -n 's/^GLOBALEMAIL\W*=//p'`" ]; then + @sbindir@/tripwire --check --email-report --silent --no-tty-output + else + @sbindir@/tripwire --check + fi +fi diff --git a/tripwire.gif b/tripwire.gif new file mode 100644 index 0000000..ac9d5eb Binary files /dev/null and b/tripwire.gif differ diff --git a/tripwire.spec b/tripwire.spec new file mode 100644 index 0000000..9e928c9 --- /dev/null +++ b/tripwire.spec @@ -0,0 +1,480 @@ +%define path_to_vi /bin/vi +%define path_to_sendmail /usr/sbin/sendmail + +Name: tripwire +Version: 2.4.3.7 +Release: 20%{?dist} +Summary: IDS (Intrusion Detection System) + +License: GPL-2.0-or-later +Source0: https://github.com/Tripwire/%{name}-open-source/releases/download/%{version}/%{name}-open-source-%{version}.tar.gz +Source1: tripwire.cron.in +Source3: tripwire.gif +Source4: twcfg.txt.in +Source5: tripwire-setup-keyfiles.in +Source6: twpol.txt.in +Source7: README.Fedora.in +Source9: License-Issues +URL: https://github.com/Tripwire/%{name}-open-source/ + +BuildRequires: make +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: openssl-devel +Requires(post): sed + + +%description +Tripwire is a very valuable security tool for Linux systems, if it is +installed to a clean system. Tripwire should be installed right after +the OS installation, and before you have connected your system to a +network (i.e., before any possibility exists that someone could alter +files on your system). + +When Tripwire is initially set up, it creates a database that records +certain file information. Then when it is run, it compares a designated +set of files and directories to the information stored in the database. +Added or deleted files are flagged and reported, as are any files that +have changed from their previously recorded state in the database. When +Tripwire is run against system files on a regular basis, any file +changes will be spotted when Tripwire is run. Tripwire will report the +changes, which will give system administrators a clue that they need to +enact damage control measures immediately if certain files have been +altered. + +%prep +%setup -q -n %{name}-open-source-%{version} +%{__cp} -p %{SOURCE3} . + +%build +export CXXFLAGS="-std=c++14 $RPM_OPT_FLAGS" +%configure --sysconfdir=%{_sysconfdir}/tripwire \ + path_to_vi=%{path_to_vi} \ + path_to_sendmail=%{path_to_sendmail} + +%{__make} %{?_smp_mflags} + +%install +%{__rm} -fr %{buildroot} + +# Install the binaries. +%{__mkdir_p} %{buildroot}%{_sbindir} +%{__install} -p -m755 bin/siggen %{buildroot}%{_sbindir} +%{__install} -p -m755 bin/tripwire %{buildroot}%{_sbindir} +%{__install} -p -m755 bin/twadmin %{buildroot}%{_sbindir} +%{__install} -p -m755 bin/twprint %{buildroot}%{_sbindir} + +# Install the man pages. +%{__mkdir_p} %{buildroot}%{_mandir}/{man4,man5,man8} +%{__install} -p -m644 man/man4/*.4 %{buildroot}%{_mandir}/man4/ +%{__install} -p -m644 man/man5/*.5 %{buildroot}%{_mandir}/man5/ +%{__install} -p -m644 man/man8/*.8 %{buildroot}%{_mandir}/man8/ + +# Create configuration files from templates. +%{__rm} -fr _tmpcfg +%{__mkdir} _tmpcfg +for infile in %{SOURCE1} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE7} ; do + outfile=${infile##/*/} + outfile=${outfile%.*n} + cat ${infile} |\ + %{__sed} -e 's|@path_to_vi@|%{path_to_vi}|g' |\ + %{__sed} -e 's|@path_to_sendmail@|%{path_to_sendmail}|g' |\ + %{__sed} -e 's|@sysconfdir@|%{_sysconfdir}|g' |\ + %{__sed} -e 's|@sbindir@|%{_sbindir}|g' |\ + %{__sed} -e 's|@vardir@|%{_var}|g' >\ + _tmpcfg/${outfile} +done +%{__mv} _tmpcfg/{tripwire-setup-keyfiles,README.Fedora} . + +# Create the reports directory. +%{__install} -d -m700 %{buildroot}%{_var}/lib/tripwire/report + +# Install the cron job. +%{__install} -d -m755 %{buildroot}%{_sysconfdir}/cron.daily +%{__install} -p -m755 _tmpcfg/tripwire.cron \ + %{buildroot}%{_sysconfdir}/cron.daily/tripwire-check +%{__rm} _tmpcfg/tripwire.cron + +# Install configuration files. +%{__mkdir_p} %{buildroot}%{_sysconfdir}/tripwire +for file in _tmpcfg/* ; do + %{__install} -p -m644 ${file} %{buildroot}%{_sysconfdir}/tripwire +done + +# Install the keyfile setup script +%{__install} -p -m755 tripwire-setup-keyfiles %{buildroot}%{_sbindir} + +# Fix permissions on documentation files. +%{__cp} -p %{SOURCE9} . +%{__chmod} 644 \ + ChangeLog COMMERCIAL COPYING TRADEMARK tripwire.gif \ + README.Fedora policy/policyguide.txt License-Issues + + +%post +# Set the real hostname in twpol.txt +%{__sed} -i -e "s|localhost|$HOSTNAME|g" %{_sysconfdir}/tripwire/twpol.txt + + +%files +%doc ChangeLog COMMERCIAL COPYING TRADEMARK tripwire.gif +%doc README.Fedora policy/policyguide.txt License-Issues +%attr(0700,root,root) %dir %{_sysconfdir}/tripwire +%config(noreplace) %{_sysconfdir}/tripwire/twcfg.txt +%config(noreplace) %{_sysconfdir}/tripwire/twpol.txt +%attr(0755,root,root) %{_sysconfdir}/cron.daily/tripwire-check +%attr(0700,root,root) %dir %{_var}/lib/tripwire +%attr(0700,root,root) %dir %{_var}/lib/tripwire/report +%{_mandir}/*/* +%attr(0755,root,root) %{_sbindir}/* + + +%changelog +* Fri Jul 25 2025 Fedora Release Engineering - 2.4.3.7-20 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + +* Sun Jan 19 2025 Fedora Release Engineering - 2.4.3.7-19 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Sat Jul 20 2024 Fedora Release Engineering - 2.4.3.7-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Sat Jan 27 2024 Fedora Release Engineering - 2.4.3.7-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sat Nov 04 2023 Didier Fabert - 2.4.3.7-16 +- migrated to SPDX license + +* Sat Jul 22 2023 Fedora Release Engineering - 2.4.3.7-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Sat Jan 21 2023 Fedora Release Engineering - 2.4.3.7-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Sat Jul 23 2022 Fedora Release Engineering - 2.4.3.7-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Sat Jan 22 2022 Fedora Release Engineering - 2.4.3.7-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Sep 14 2021 Sahana Prasad - 2.4.3.7-11 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Fedora Release Engineering - 2.4.3.7-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jan 27 2021 Fedora Release Engineering - 2.4.3.7-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Aug 18 2020 Jeff Law - 2.4.3.7-8 +- Force C++14 as this code is not C++17 ready + +* Wed Jul 29 2020 Fedora Release Engineering - 2.4.3.7-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Jan 31 2020 Fedora Release Engineering - 2.4.3.7-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sat Jul 27 2019 Fedora Release Engineering - 2.4.3.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 2.4.3.7-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Jul 21 2018 Didier Fabert - 2.4.3.7-3 +- Fix https://bugzilla.redhat.com/show_bug.cgi?id=1606572 + +* Sat Jul 14 2018 Fedora Release Engineering - 2.4.3.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Apr 19 2018 Didier Fabert - 2.4.3.7-1 +- update to 2.4.3.7 + +* Fri Feb 09 2018 Fedora Release Engineering - 2.4.3.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Oct 04 2017 Didier Fabert - 2.4.3.6-1 +- update to 2.4.3.6 + +* Thu Aug 03 2017 Fedora Release Engineering - 2.4.3.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 2.4.3.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Apr 06 2017 Didier Fabert - 2.4.3.5-1 +- update to 2.4.3.5 + +* Fri Mar 10 2017 Didier Fabert - 2.4.3.4-1 +- update to 2.4.3.4 +- Fix https://bugzilla.redhat.com/show_bug.cgi?id=1429542 +- Fix https://bugzilla.redhat.com/show_bug.cgi?id=1435181 + +* Sat Mar 04 2017 Didier Fabert - 2.4.3.3-1 +- update to 2.4.3.3 + +* Tue Feb 14 2017 Didier Fabert - 2.4.3.2-3 +- Fix #1421468 by removing defattr macro in files section +- Remove executable permission on 2 cpp files. + +* Sat Feb 11 2017 Fedora Release Engineering - 2.4.3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 02 2017 Didier Fabert - 2.4.3.2-1 +- update to 2.4.3.2 +- Remove personal config.guess +- Fix https://bugzilla.redhat.com/show_bug.cgi?id=830999 + +* Sat Apr 23 2016 Didier Fabert - 2.4.3.1-1 +- update to 2.4.3.1 + +* Sat Apr 16 2016 Didier Fabert - 2.4.3.0-1 +- update to 2.4.3.0 +- switch upstream from sourceforge to github (official sources) +- Patch to avoid narrowing errors + +* Fri Feb 05 2016 Fedora Release Engineering - 2.4.2.2-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jun 19 2015 Fedora Release Engineering - 2.4.2.2-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat May 02 2015 Kalev Lember - 2.4.2.2-8 +- Rebuilt for GCC 5 C++11 ABI change + +* Tue Sep 16 2014 Moez Roy - 2.4.2.2-7 +- F21 build patch as suggested by Michael Schwendt on devel mailing list + + +* Mon Aug 18 2014 Fedora Release Engineering - 2.4.2.2-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 2.4.2.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sun Aug 04 2013 Fedora Release Engineering - 2.4.2.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Fri Feb 15 2013 Fedora Release Engineering - 2.4.2.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sun Jul 22 2012 Fedora Release Engineering - 2.4.2.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Mar 5 2012 Tom Callaway - 2.4.2.2-1 +- update to 2.4.2.2 + +* Tue Feb 28 2012 Fedora Release Engineering - 2.4.1.2-14 +- Rebuilt for c++ ABI breakage + +* Sat Jan 14 2012 Fedora Release Engineering - 2.4.1.2-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Feb 09 2011 Fedora Release Engineering - 2.4.1.2-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Aug 21 2009 Tomas Mraz - 2.4.1.2-11 +- rebuilt with new openssl + +* Sun Jul 26 2009 Fedora Release Engineering - 2.4.1.2-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue Apr 7 2009 Steven M. Parrish - 2.4.1.2-9 +- Added support for /usr/lib64 & /usr/local/lib64 + +* Wed Feb 25 2009 Fedora Release Engineering - 2.4.1.2-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sun Jan 18 2009 Tomas Mraz - 2.4.1.2-7 +- rebuild with new openssl + +* Mon Sep 8 2008 Tom "spot" Callaway - 2.4.1.2-6 +- fix license tag + +* Mon Feb 11 2008 Brandon Holbrook 2.4.1.2-5 +- Rebuild for gcc-4.3 + +* Fri Dec 07 2007 Release Engineering - 2.4.1.2-4 +- Rebuild for deps + +* Wed Aug 29 2007 Brandon Holbrook 2.4.1.2-3 +- Pull in a new config.guess to properly detect ppc64 archs + +* Wed Aug 29 2007 Brandon Holbrook 2.4.1.2-2 +- Upgrade to 2.4.1.2 + +* Wed Feb 28 2007 Brandon Holbrook 2.4.1.1-1 +- Upgrade to upstream 2.4.1.1 (obsoletes gcc4 patch) +- Merge quickstart.txt into README.Fedora and fix doc bug (#161764) + +* Thu Dec 21 2006 Brandon Holbrook 2.4.0.1-4 +- Don't print anything at install time + +* Tue Dec 19 2006 Brandon Holbrook 2.4.0.1-3 +- Changed defattr to 644,755 +- removed BR: autoconf +- Inform users about README.Fedora instead of spamming the install + with catting the whole file + +* Wed Nov 15 2006 Brandon Holbrook 2.4.0.1-2 +- chmod'ed /etc/tripwire to 0700 +- Added sed to Requires(post) + +* Tue Aug 22 2006 Brandon Holbrook 2.4.0.1-1.4 +- Include COMMERCIAL file from upstream +- Print README.RPM on initial install +- Added _smp_mflags to make +- Removed ExclusiveArch: ix86 +- Replaced 2.3 with 2.4 in tripwire.txt + +* Tue Aug 22 2006 Brandon Holbrook 2.4.0.1-1.2 +- Updated to 2.4.0.1 + +* Thu Apr 7 2005 Michael Schwendt +- rebuilt + +* Tue Jun 15 2004 Keith G. Robertson-Turner 0:2.3.1-20.fdr.1 +- Revision bump to supersede Fedora Legacy +- Fixed a bogus entry in twpol.txt.in (modeprobe.conf -> modprobe.conf) + +* Thu Jun 10 2004 Keith G. Robertson-Turner 0:2.3.1-18.fdr.9 +- Applied Paul Herman's patch to fix a format string vulnerability in + pipedmailmessage.cpp + +* Sun Feb 29 2004 Keith G. Robertson-Turner 0:2.3.1-18.fdr.8 +- Default policy overhaul +- Spec cleanup + +* Sun Feb 22 2004 Keith G. Robertson-Turner 0:2.3.1-18.fdr.7 +- Moved documentation data out of package description + +* Sat Feb 21 2004 Keith G. Robertson-Turner 0:2.3.1-18.fdr.6 +- Removed explicit Buildrequires gcc-c++ + +* Fri Feb 20 2004 Keith G. Robertson-Turner 0:2.3.1-18.fdr.5 +- Finally moved twinstall.sh from the sysconfdir to the sbindir, since + it is not a configuration file. Fixes Red Hat bug #61855 +- Renamed twinstall.sh to tripwire-setup-keyfiles, since the name is + misleading. It is setting up keyfiles, not installing an application +- Minor correction to twinstall.sh (now tripwire-setup-keyfiles), which + made an incorrect reference to the site key rather than the local key +- Long overdue default policy update +- Added explicit Buildrequires gcc-c++, to satisfy mach + +* Thu Feb 19 2004 Keith G. Robertson-Turner 0:2.3.1-18.fdr.4 +- Fixed siggen.8 man page, broken command synopsis syntax. Submitted by + doclifter +- Set real hostname in post, so Tripwire works first time, without + editing twpol.txt +- More accurate package summary +- Spec cleanup + +* Fri Nov 28 2003 Keith G. Robertson-Turner 0:2.3.1-18.fdr.3 +- Thanks to Michael Schwendt for really cleaning up the Spec file +- The remaining parts of the original tripwire-2.3.1-gcc3.patch have + now been implemented +- Debuginfo fully builds now + +* Thu Nov 27 2003 Keith G. Robertson-Turner 0:2.3.1-18.fdr.2 +- Removed version specific grep dependency, since grep >= 2.3 is common +- Added openssl-devel and autoconf to build dependencies +- The tripwire-jbj.patch is now confirmed merged with tw-20030919.patch +- Added RPM optimisation flags option, disabled by default since it + breaks the code +- Fixed file permissions of packaged files + +* Wed Nov 26 2003 Keith G. Robertson-Turner 0:2.3.1-18.fdr.1 +- Implemented Paul Herman's tw-20030919.patch +- Removed the fhs gcc3 and jbj patches, which are now broken/obsoleted + by the above +- Both the mkstemp and rfc822 patches are still implemented +- Build uses autoconf for now +- Spec file given complete overhaul for stricter compliance. More to do + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Sat Nov 16 2002 Jeff Johnson 2.3.1-16 +- rebuild from cvs. +- comment out debug messages to achieve compilation. +- include policyguide.txt (#72259). +- use mkstemp, not mktemp. + +* Fri Aug 02 2002 Mike A. Harris 2.3.1-14 +- Modified default sample twpol file to remove bogus warnings (#70502) + +* Fri Jun 21 2002 Tim Powers 2.3.1-13 +- automated rebuild + +* Sun May 26 2002 Tim Powers 2.3.1-12 +- automated rebuild + +* Wed May 22 2002 Mike A. Harris 2.3.1-11 +- Rebuilt in new build environment with gcc 3.1 + +* Tue Feb 26 2002 Mike A. Harris 2.3.1-9 +- Conditionalized gcc3 patch +- Added back the ExclusiveArch that is required but disappeared somewhere along + the line. +- Rebuild in new build environment + +* Thu Jan 31 2002 Mike A. Harris 2.3.1-7 +- Bump release and rebuild in new environment. +- (Elliot Lee) Add patch to make it build with gcc3. + +* Thu Aug 9 2001 Nalin Dahyabhai 2.3.1-5 +- define USE_FHS when USES_FHS is defined, so that the database winds up + in the right directory (#51332) +- update default twpol file to include files recently-added to the full + installation tree + +* Tue Jul 17 2001 Mike A. Harris 2.3.1-4 +- Applied bugfix for (#47276) to make tripwire email RFC822 compliant, using + patch in bugreport from Michael Schwendt + +* Tue Jul 10 2001 Mike A. Harris 2.3.1-3 +- Made package own dir /var/lib/tripwire + +* Mon Jun 25 2001 Nalin Dahyabhai +- update to 2.3.1-2 + +* Thu Mar 1 2001 Bill Nottingham +- rebuild, fix defattr. Weird. + +* Tue Feb 27 2001 Nalin Dahyabhai +- refresh from upstream +- modify the default policy to match the current tree more closely (#28744) +- make the text files 0644, not 0755 +- defattr for the sake of the docs + +* Wed Sep 20 2000 Nalin Dahyabhai +- change exclusivearch: i386 to exclusivearch: %%{ix86} (#17759) + +* Wed Aug 23 2000 Than Ngo +- remove copyleft information in specfile (Bug #16765) + +* Tue Aug 22 2000 Nalin Dahyabhai +- remove duplicate source files +- sync up description with specspo + +* Fri Aug 4 2000 Than Ngo +- remove Vendor and Distribution from specfile (Bug #15246) + +* Fri Aug 4 2000 Than Ngo +- starts tripwire --check if it was configured before. (Bug #15384) + +* Fri Aug 4 2000 Nalin Dahyabhai +- fix sense of checking for the database's existence in the cron job +- actually include twinstall.sh, twcfg.txt, twpol.txt + +* Thu Aug 3 2000 Than Ngo +- permission fix (bug #15246) + +* Mon Jul 31 2000 Nalin Dahyabhai +- add quickstart docs (Ed) +- tweak description text (Ed) + +* Thu Jul 20 2000 Nalin Dahyabhai +- update .spec file to follow RPM conventions +- add tripwire --check to cron.daily + diff --git a/twcfg.txt.in b/twcfg.txt.in new file mode 100644 index 0000000..db1dc5c --- /dev/null +++ b/twcfg.txt.in @@ -0,0 +1,15 @@ +ROOT =@sbindir@ +POLFILE =@sysconfdir@/tripwire/tw.pol +DBFILE =@vardir@/lib/tripwire/$(HOSTNAME).twd +REPORTFILE =@vardir@/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr +SITEKEYFILE =@sysconfdir@/tripwire/site.key +LOCALKEYFILE =@sysconfdir@/tripwire/$(HOSTNAME)-local.key +EDITOR =@path_to_vi@ +LATEPROMPTING =false +LOOSEDIRECTORYCHECKING =false +MAILNOVIOLATIONS =true +EMAILREPORTLEVEL =3 +REPORTLEVEL =3 +MAILMETHOD =SENDMAIL +SYSLOGREPORTING =false +MAILPROGRAM =@path_to_sendmail@ -oi -t diff --git a/twpol.txt.in b/twpol.txt.in new file mode 100644 index 0000000..9d8e151 --- /dev/null +++ b/twpol.txt.in @@ -0,0 +1,1038 @@ +# identifier: tripwire IDS policy input file +# host: Fedora Core release 1 (Yarrow) +# version: 2.3.1-19.fdr.1 +# maintainer: Keith G. Robertson-Turner +# validator: unvalidated +# date: Tue Jun 15 17:09:21 BST 2004 + +# description: +# This is an example Tripwire Policy input file. It is intended as the +# starting point to creating your own custom Tripwire Policy. Referring +# to it, as well as the Tripwire Policy Guide, should give you enough +# information to make a good custom Tripwire Policy that better fits +# your configuration and security needs. This text version will be used +# by tripwire as input to create a proprietary type of file called a +# Tripwire Policy file, which will then be signed for further security. +# It is recommended that once you complete the creation of the Policy +# file, you move this plaintext version to a secure location (possibly +# on removable media) or encrypt the file using a tool such as GPG. You +# should also do this for the Tripwire plaintext configuration file +# (twcfg.txt) once you have finished setting up the Policy. +# +# Note that this file is tuned to an "everything" install of Fedora +# Linux. If run unmodified, this file should create no errors on +# database creation, or violations on a subsequent integrity check. +# However, it is impossible for there to be one policy file for all +# machines, so this existing one errs on the side of security. Your +# Linux configuration will most likely differ from the one our policy +# file was tuned to, and will therefore require some editing of the +# default Tripwire Policy file. The example policy file is best run +# with "Loose Directory Checking" enabled. +# +# Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration file. +# +# Note - legacy entries (which are commented out) are included for +# historical reasons only, and are overdue for removal. They will +# likely disappear from future releases. +# +# The following info is only really useful for non-RPM distributions: +# +# Email support is not included and must be added to this file. Add the +# "emailto=" to the rule directive section of each rule (add a comma +# after the "severity=" line and add an "emailto=" and include the +# email addresses you want the violation reports to go to). Addresses +# are semi-colon delimited. +# +# If you installed from the Fedora RPM, a cron job has already been set +# up for you. Tripwire will perform an integrity check once every day, +# and the generated report will be emailed to root. In this case, you +# do not need to perform the steps in the previous paragraph. + +# policy: + + +# Global Variable Definitions + +@@section GLOBAL +TWROOT=@sbindir@; +TWBIN=@sbindir@; +TWPOL="@sysconfdir@/tripwire"; +TWDB="@vardir@/lib/tripwire"; +TWSKEY="@sysconfdir@/tripwire"; +TWLKEY="@sysconfdir@/tripwire"; +TWREPORT="@vardir@/lib/tripwire/report"; +HOSTNAME=localhost; + +@@section FS +SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change +SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set +SEC_BIN = $(ReadOnly) ; # Binaries that should not change +SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often +SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership +SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership +SIG_LOW = 33 ; # Non-critical files that are of minimal security impact +SIG_MED = 66 ; # Non-critical files that are of significant security impact +SIG_HI = 100 ; # Critical files that are significant points of vulnerability + + +# Tripwire Binaries + +( + rulename = "Tripwire Binaries", + severity = $(SIG_HI) +) +{ + $(TWBIN)/siggen -> $(SEC_BIN) ; + $(TWBIN)/tripwire -> $(SEC_BIN) ; + $(TWBIN)/twadmin -> $(SEC_BIN) ; + $(TWBIN)/twprint -> $(SEC_BIN) ; +} + + +# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases + +( + rulename = "Tripwire Data Files", + severity = $(SIG_HI) +) +{ + # NOTE: We remove the inode attribute because when Tripwire creates a backup, + # it does so by renaming the old file and creating a new one (which will + # have a new inode number). Inode is left turned on for keys, which shouldn't + # ever change. + + # NOTE: The first integrity check triggers this rule and each integrity check + # afterward triggers this rule until a database update is run, since the + # database file does not exist before that point. + + $(TWDB) -> $(SEC_CONFIG) -i ; + $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; + $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; + $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; + $(TWSKEY)/site.key -> $(SEC_BIN) ; + + #don't scan the individual reports + $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; +} + + +# Tripwire HQ Connector Binaries +# +# This commercial product has been phased out and is no longer +# supported. This section will disappear from future releases. +# +#( +# rulename = "Tripwire HQ Connector Binaries", +# severity = $(SIG_HI) +#) +#{ +# $(TWBIN)/hqagent -> $(SEC_BIN) ; +#} +# +# Tripwire HQ Connector - Configuration Files, Keys, and Logs + +# Note: File locations here are different than in a stock HQ Connector +# installation. This is because Tripwire 2.3 uses a different path +# structure than Tripwire 2.2.1. +# +# You may need to update your HQ Agent configuation file (or this +# policy file) to correct the paths. We have attempted to support the +# FHS standard here by placing the HQ Agent files similarly to the way +# Tripwire 2.3 places them. + +#( +# rulename = "Tripwire HQ Connector Data Files", +# severity = $(SIG_HI) +#) +#{ + # NOTE: Removing the inode attribute because when Tripwire creates a + # backup it does so by renaming the old file and creating a new one + # (which will have a new inode number). Leaving inode turned on for + # keys, which shouldn't ever change. +# +# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; # legacy +# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; # legacy +# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; # legacy +# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; # legacy +# + # Uncomment if you have agent logging enabled. + #/var/log/tripwire/agent.log -> $(SEC_LOG) ; # legacy +#} + + +# Commonly accessed directories that should remain static with regards +# to owner and group. + +( + rulename = "Invariant Directories", + severity = $(SIG_MED) +) +{ + / -> $(SEC_INVARIANT) (recurse = 0) ; + /home -> $(SEC_INVARIANT) (recurse = 0) ; + /etc -> $(SEC_INVARIANT) (recurse = 0) ; +} + + +# File System and Disk Administration Programs. + +( + rulename = "File System and Disk Administraton Programs", + severity = $(SIG_HI) +) +{ + /sbin/accton -> $(SEC_CRIT) ; + /sbin/badblocks -> $(SEC_CRIT) ; + /sbin/busybox -> $(SEC_CRIT) ; + /sbin/busybox.anaconda -> $(SEC_CRIT) ; + /sbin/convertquota -> $(SEC_CRIT) ; + /sbin/dosfsck -> $(SEC_CRIT) ; + /sbin/debugfs -> $(SEC_CRIT) ; + /sbin/debugreiserfs -> $(SEC_CRIT) ; + /sbin/dumpe2fs -> $(SEC_CRIT) ; + /sbin/dump -> $(SEC_CRIT) ; + /sbin/dump.static -> $(SEC_CRIT) ; + #/sbin/e2fsadm -> $(SEC_CRIT) ; tune2fs? # legacy + /sbin/e2fsck -> $(SEC_CRIT) ; + /sbin/e2label -> $(SEC_CRIT) ; + /sbin/fdisk -> $(SEC_CRIT) ; + /sbin/fsck -> $(SEC_CRIT) ; + /sbin/fsck.ext2 -> $(SEC_CRIT) ; + /sbin/fsck.ext3 -> $(SEC_CRIT) ; + #/sbin/fsck.minix -> $(SEC_CRIT) ; + /sbin/fsck.msdos -> $(SEC_CRIT) ; + /sbin/fsck.vfat -> $(SEC_CRIT) ; + /sbin/ftl_check -> $(SEC_CRIT) ; + /sbin/ftl_format -> $(SEC_CRIT) ; + /sbin/hdparm -> $(SEC_CRIT) ; + #/sbin/lvchange -> $(SEC_CRIT) ; + #/sbin/lvcreate -> $(SEC_CRIT) ; + #/sbin/lvdisplay -> $(SEC_CRIT) ; + #/sbin/lvextend -> $(SEC_CRIT) ; + #/sbin/lvmchange -> $(SEC_CRIT) ; + #/sbin/lvmcreate_initrd -> $(SEC_CRIT) ; + #/sbin/lvmdiskscan -> $(SEC_CRIT) ; + #/sbin/lvmsadc -> $(SEC_CRIT) ; + #/sbin/lvmsar -> $(SEC_CRIT) ; + #/sbin/lvreduce -> $(SEC_CRIT) ; + #/sbin/lvremove -> $(SEC_CRIT) ; + #/sbin/lvrename -> $(SEC_CRIT) ; + #/sbin/lvscan -> $(SEC_CRIT) ; + /sbin/mkbootdisk -> $(SEC_CRIT) ; + /sbin/mkdosfs -> $(SEC_CRIT) ; + /sbin/mke2fs -> $(SEC_CRIT) ; + /sbin/mkfs -> $(SEC_CRIT) ; + #/sbin/mkfs.bfs -> $(SEC_CRIT) ; + /sbin/mkfs.ext2 -> $(SEC_CRIT) ; + #/sbin/mkfs.minix -> $(SEC_CRIT) ; + /sbin/mkfs.msdos -> $(SEC_CRIT) ; + /sbin/mkfs.vfat -> $(SEC_CRIT) ; + /sbin/mkinitrd -> $(SEC_CRIT) ; + #/sbin/mkpv -> $(SEC_CRIT) ; + /sbin/mkraid -> $(SEC_CRIT) ; + /sbin/mkreiserfs -> $(SEC_CRIT) ; + /sbin/mkswap -> $(SEC_CRIT) ; + #/sbin/mtx -> $(SEC_CRIT) ; + /sbin/pam_console_apply -> $(SEC_CRIT) ; + /sbin/parted -> $(SEC_CRIT) ; + /sbin/pcinitrd -> $(SEC_CRIT) ; + #/sbin/pvchange -> $(SEC_CRIT) ; + #/sbin/pvcreate -> $(SEC_CRIT) ; + #/sbin/pvdata -> $(SEC_CRIT) ; + #/sbin/pvdisplay -> $(SEC_CRIT) ; + #/sbin/pvmove -> $(SEC_CRIT) ; + #/sbin/pvscan -> $(SEC_CRIT) ; + /sbin/quotacheck -> $(SEC_CRIT) ; + /sbin/quotaon -> $(SEC_CRIT) ; + /sbin/raidstart -> $(SEC_CRIT) ; + /sbin/reiserfsck -> $(SEC_CRIT) ; + /sbin/resize2fs -> $(SEC_CRIT) ; + /sbin/resize_reiserfs -> $(SEC_CRIT) ; + /sbin/restore -> $(SEC_CRIT) ; + /sbin/restore.static -> $(SEC_CRIT) ; + /sbin/scsi_info -> $(SEC_CRIT) ; + /sbin/sfdisk -> $(SEC_CRIT) ; + /sbin/stinit -> $(SEC_CRIT) ; + #/sbin/tapeinfo -> $(SEC_CRIT) ; # legacy + /sbin/tune2fs -> $(SEC_CRIT) ; + /sbin/unpack -> $(SEC_CRIT) ; + #/sbin/update -> $(SEC_CRIT) ; + #/sbin/vgcfgbackup -> $(SEC_CRIT) ; + #/sbin/vgcfgrestore -> $(SEC_CRIT) ; + #/sbin/vgchange -> $(SEC_CRIT) ; + #/sbin/vgck -> $(SEC_CRIT) ; + #/sbin/vgcreate -> $(SEC_CRIT) ; + #/sbin/vgdisplay -> $(SEC_CRIT) ; + #/sbin/vgexport -> $(SEC_CRIT) ; + #/sbin/vgextend -> $(SEC_CRIT) ; + #/sbin/vgimport -> $(SEC_CRIT) ; + #/sbin/vgmerge -> $(SEC_CRIT) ; + #/sbin/vgmknodes -> $(SEC_CRIT) ; + #/sbin/vgreduce -> $(SEC_CRIT) ; + #/sbin/vgremove -> $(SEC_CRIT) ; + #/sbin/vgrename -> $(SEC_CRIT) ; + #/sbin/vgscan -> $(SEC_CRIT) ; + #/sbin/vgsplit -> $(SEC_CRIT) ; + /bin/chgrp -> $(SEC_CRIT) ; + /bin/chmod -> $(SEC_CRIT) ; + /bin/chown -> $(SEC_CRIT) ; + /bin/cp -> $(SEC_CRIT) ; + /bin/cpio -> $(SEC_CRIT) ; + /bin/mount -> $(SEC_CRIT) ; + /bin/umount -> $(SEC_CRIT) ; + /bin/mkdir -> $(SEC_CRIT) ; + /bin/mknod -> $(SEC_CRIT) ; + /bin/mktemp -> $(SEC_CRIT) ; + /bin/rm -> $(SEC_CRIT) ; + /bin/rmdir -> $(SEC_CRIT) ; + /bin/touch -> $(SEC_CRIT) ; +} + + +# Kernel Administration Programs. + +( + rulename = "Kernel Administration Programs", + severity = $(SIG_HI) +) +{ + /sbin/adjtimex -> $(SEC_CRIT) ; + /sbin/ctrlaltdel -> $(SEC_CRIT) ; + /sbin/depmod -> $(SEC_CRIT) ; + /sbin/insmod -> $(SEC_CRIT) ; + /sbin/insmod.static -> $(SEC_CRIT) ; + /sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ; + /sbin/klogd -> $(SEC_CRIT) ; + /sbin/ldconfig -> $(SEC_CRIT) ; + /sbin/minilogd -> $(SEC_CRIT) ; + /sbin/modinfo -> $(SEC_CRIT) ; + #/sbin/nuactlun -> $(SEC_CRIT) ; + #/sbin/nuscsitcpd -> $(SEC_CRIT) ; + /sbin/pivot_root -> $(SEC_CRIT) ; + /sbin/sndconfig -> $(SEC_CRIT) ; + /sbin/sysctl -> $(SEC_CRIT) ; +} + + +# Networking Programs. + +( + rulename = "Networking Programs", + severity = $(SIG_HI) +) +{ + /etc/sysconfig/network-scripts/ifdown -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-cipcb -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-ippp -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-ipv6 -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-isdn -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-post -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-ppp -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-sit -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-sl -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-aliases -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-cipcb -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-ippp -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-ipv6 -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-isdn -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-plip -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-plusb -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-post -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-ppp -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-routes -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-sit -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-sl -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-wireless -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/network-functions -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/network-functions-ipv6 -> $(SEC_CRIT) ; + /bin/ping -> $(SEC_CRIT) ; + /sbin/agetty -> $(SEC_CRIT) ; + /sbin/arp -> $(SEC_CRIT) ; + /sbin/arping -> $(SEC_CRIT) ; + /sbin/dhclient -> $(SEC_CRIT) ; + /sbin/ether-wake -> $(SEC_CRIT) ; + #/sbin/getty -> $(SEC_CRIT) ; + /sbin/ifcfg -> $(SEC_CRIT) ; + /sbin/ifconfig -> $(SEC_CRIT) ; + /sbin/ifdown -> $(SEC_CRIT) ; + /sbin/ifenslave -> $(SEC_CRIT) ; + /sbin/ifport -> $(SEC_CRIT) ; + /sbin/ifup -> $(SEC_CRIT) ; + /sbin/ifuser -> $(SEC_CRIT) ; + /sbin/ip -> $(SEC_CRIT) ; + /sbin/ip6tables -> $(SEC_CRIT) ; + #/sbin/ipchains -> $(SEC_CRIT) ; # legacy + #/sbin/ipchains-restore -> $(SEC_CRIT) ; # legacy + #/sbin/ipchains-save -> $(SEC_CRIT) ; # legacy + #/sbin/ipfwadm -> $(SEC_CRIT) ; + /sbin/ipmaddr -> $(SEC_CRIT) ; + /sbin/iptables -> $(SEC_CRIT) ; + /sbin/iptables-restore -> $(SEC_CRIT) ; + /sbin/iptables-save -> $(SEC_CRIT) ; + /sbin/iptunnel -> $(SEC_CRIT) ; + #/sbin/ipvsadm -> $(SEC_CRIT) ; + #/sbin/ipvsadm-restore -> $(SEC_CRIT) ; + #/sbin/ipvsadm-save -> $(SEC_CRIT) ; + /sbin/ipx_configure -> $(SEC_CRIT) ; + /sbin/ipx_interface -> $(SEC_CRIT) ; + /sbin/ipx_internal_net -> $(SEC_CRIT) ; + /sbin/iwconfig -> $(SEC_CRIT) ; + /sbin/iwgetid -> $(SEC_CRIT) ; + /sbin/iwlist -> $(SEC_CRIT) ; + /sbin/iwpriv -> $(SEC_CRIT) ; + /sbin/iwspy -> $(SEC_CRIT) ; + /sbin/mgetty -> $(SEC_CRIT) ; + /sbin/mingetty -> $(SEC_CRIT) ; + /sbin/nameif -> $(SEC_CRIT) ; + /sbin/netreport -> $(SEC_CRIT) ; + /sbin/plipconfig -> $(SEC_CRIT) ; + /sbin/portmap -> $(SEC_CRIT) ; + /sbin/ppp-watch -> $(SEC_CRIT) ; + #/sbin/rarp -> $(SEC_CRIT) ; + /sbin/route -> $(SEC_CRIT) ; + /sbin/slattach -> $(SEC_CRIT) ; + /sbin/tc -> $(SEC_CRIT) ; + #/sbin/uugetty -> $(SEC_CRIT) ; + /sbin/vgetty -> $(SEC_CRIT) ; + /sbin/ypbind -> $(SEC_CRIT) ; +} + + +# System Administration Programs. + +( + rulename = "System Administration Programs", + severity = $(SIG_HI) +) +{ + /sbin/chkconfig -> $(SEC_CRIT) ; + /sbin/fuser -> $(SEC_CRIT) ; + /sbin/halt -> $(SEC_CRIT) ; + /sbin/init -> $(SEC_CRIT) ; + /sbin/initlog -> $(SEC_CRIT) ; + /sbin/install-info -> $(SEC_CRIT) ; + /sbin/killall5 -> $(SEC_CRIT) ; + #/sbin/linuxconf -> $(SEC_CRIT) ; # legacy + #/sbin/linuxconf-auth -> $(SEC_CRIT) ; # legacy + /sbin/pam_tally -> $(SEC_CRIT) ; + /sbin/pwdb_chkpwd -> $(SEC_CRIT) ; + #/sbin/remadmin -> $(SEC_CRIT) ; + /sbin/rescuept -> $(SEC_CRIT) ; + /sbin/rmt -> $(SEC_CRIT) ; + /sbin/rpc.lockd -> $(SEC_CRIT) ; + /sbin/rpc.statd -> $(SEC_CRIT) ; + /sbin/rpcdebug -> $(SEC_CRIT) ; + /sbin/service -> $(SEC_CRIT) ; + /sbin/setsysfont -> $(SEC_CRIT) ; + /sbin/shutdown -> $(SEC_CRIT) ; + /sbin/sulogin -> $(SEC_CRIT) ; + /sbin/swapon -> $(SEC_CRIT) ; + /sbin/syslogd -> $(SEC_CRIT) ; + /sbin/unix_chkpwd -> $(SEC_CRIT) ; + /bin/pwd -> $(SEC_CRIT) ; + /bin/uname -> $(SEC_CRIT) ; +} + + +# Hardware and Device Control Programs. + +( + rulename = "Hardware and Device Control Programs", + severity = $(SIG_HI) +) +{ + /bin/setserial -> $(SEC_CRIT) ; + /bin/sfxload -> $(SEC_CRIT) ; + /sbin/blockdev -> $(SEC_CRIT) ; + /sbin/cardctl -> $(SEC_CRIT) ; + /sbin/cardmgr -> $(SEC_CRIT) ; + /sbin/cbq -> $(SEC_CRIT) ; + /sbin/dump_cis -> $(SEC_CRIT) ; + /sbin/elvtune -> $(SEC_CRIT) ; + /sbin/hotplug -> $(SEC_CRIT) ; + /sbin/hwclock -> $(SEC_CRIT) ; + /sbin/ide_info -> $(SEC_CRIT) ; + #/sbin/isapnp -> $(SEC_CRIT) ; + #/sbin/kbdrate -> $(SEC_CRIT) ; + /sbin/losetup -> $(SEC_CRIT) ; + /sbin/lspci -> $(SEC_CRIT) ; + /sbin/lspnp -> $(SEC_CRIT) ; + /sbin/mii-tool -> $(SEC_CRIT) ; + /sbin/pack_cis -> $(SEC_CRIT) ; + #/sbin/pnpdump -> $(SEC_CRIT) ; + /sbin/probe -> $(SEC_CRIT) ; + #/sbin/pump -> $(SEC_CRIT) ; + /sbin/setpci -> $(SEC_CRIT) ; + /sbin/shapecfg -> $(SEC_CRIT) ; +} + + +# System Information Programs. + +( + rulename = "System Information Programs", + severity = $(SIG_HI) +) +{ + /sbin/consoletype -> $(SEC_CRIT) ; + /sbin/kernelversion -> $(SEC_CRIT) ; + /sbin/runlevel -> $(SEC_CRIT) ; +} + + +# Application Information Programs. + +( + rulename = "Application Information Programs", + severity = $(SIG_HI) +) +{ + /sbin/genksyms -> $(SEC_CRIT) ; + #/sbin/genksyms.old -> $(SEC_CRIT) ; + /sbin/rtmon -> $(SEC_CRIT) ; +} + + +# Shell Related Programs. + +( + rulename = "Shell Related Programs", + severity = $(SIG_HI) +) +{ + /sbin/getkey -> $(SEC_CRIT) ; + /sbin/nash -> $(SEC_CRIT) ; + /sbin/sash -> $(SEC_CRIT) ; +} + + +# OS Utilities. + +( + rulename = "Operating System Utilities", + severity = $(SIG_HI) +) +{ + /bin/arch -> $(SEC_CRIT) ; + /bin/ash -> $(SEC_CRIT) ; + /bin/ash.static -> $(SEC_CRIT) ; + /bin/aumix-minimal -> $(SEC_CRIT) ; + /bin/basename -> $(SEC_CRIT) ; + /bin/cat -> $(SEC_CRIT) ; + #/bin/consolechars -> $(SEC_CRIT) ; + /bin/cut -> $(SEC_CRIT) ; + /bin/date -> $(SEC_CRIT) ; + /bin/dd -> $(SEC_CRIT) ; + /bin/df -> $(SEC_CRIT) ; + /bin/dmesg -> $(SEC_CRIT) ; + /bin/doexec -> $(SEC_CRIT) ; + /bin/echo -> $(SEC_CRIT) ; + /bin/ed -> $(SEC_CRIT) ; + /bin/egrep -> $(SEC_CRIT) ; + /bin/false -> $(SEC_CRIT) ; + /bin/fgrep -> $(SEC_CRIT) ; + /bin/gawk -> $(SEC_CRIT) ; + #/bin/gawk-3.1.0 -> $(SEC_CRIT) ; # legacy + /bin/gettext -> $(SEC_CRIT) ; + /bin/grep -> $(SEC_CRIT) ; + /bin/gunzip -> $(SEC_CRIT) ; + /bin/gzip -> $(SEC_CRIT) ; + /bin/hostname -> $(SEC_CRIT) ; + /bin/igawk -> $(SEC_CRIT) ; + /bin/ipcalc -> $(SEC_CRIT) ; + /bin/kill -> $(SEC_CRIT) ; + /bin/ln -> $(SEC_CRIT) ; + /bin/loadkeys -> $(SEC_CRIT) ; + /bin/login -> $(SEC_CRIT) ; + /bin/ls -> $(SEC_CRIT) ; + /bin/mail -> $(SEC_CRIT) ; + /bin/more -> $(SEC_CRIT) ; + /bin/mt -> $(SEC_CRIT) ; + /bin/mv -> $(SEC_CRIT) ; + /bin/netstat -> $(SEC_CRIT) ; + /bin/nice -> $(SEC_CRIT) ; + /bin/pgawk -> $(SEC_CRIT) ; + /bin/ps -> $(SEC_CRIT) ; + /bin/rpm -> $(SEC_CRIT) ; + /bin/sed -> $(SEC_CRIT) ; + /bin/sleep -> $(SEC_CRIT) ; + /bin/sort -> $(SEC_CRIT) ; + /bin/stty -> $(SEC_CRIT) ; + /bin/su -> $(SEC_CRIT) ; + /bin/sync -> $(SEC_CRIT) ; + /bin/tar -> $(SEC_CRIT) ; + /bin/true -> $(SEC_CRIT) ; + /bin/usleep -> $(SEC_CRIT) ; + /bin/vi -> $(SEC_CRIT) ; + /bin/zcat -> $(SEC_CRIT) ; + /bin/zsh -> $(SEC_CRIT) ; + #/bin/zsh-4.0.2 -> $(SEC_CRIT) ; # legacy + /sbin/sln -> $(SEC_CRIT) ; + /usr/bin/vimtutor -> $(SEC_CRIT) ; +} + + +# Critical Utility Sym-Links. + +( + rulename = "Critical Utility Sym-Links", + severity = $(SIG_HI) +) +{ + #/sbin/askrunlevel -> $(SEC_CRIT) ; + /sbin/clock -> $(SEC_CRIT) ; + #/sbin/fixperm -> $(SEC_CRIT) ; + /sbin/fsck.reiserfs -> $(SEC_CRIT) ; + #/sbin/fsconf -> $(SEC_CRIT) ; + #/sbin/ipfwadm-wrapper -> $(SEC_CRIT) ; + /sbin/kallsyms -> $(SEC_CRIT) ; + /sbin/ksyms -> $(SEC_CRIT) ; + /sbin/lsmod -> $(SEC_CRIT) ; + #/sbin/mailconf -> $(SEC_CRIT) ; + /sbin/mkfs.reiserfs -> $(SEC_CRIT) ; + #/sbin/modemconf -> $(SEC_CRIT) ; # legacy + /sbin/modprobe -> $(SEC_CRIT) ; + /sbin/mount.ncp -> $(SEC_CRIT) ; + /sbin/mount.ncpfs -> $(SEC_CRIT) ; + /sbin/mount.smb -> $(SEC_CRIT) ; + /sbin/mount.smbfs -> $(SEC_CRIT) ; + #/sbin/netconf -> $(SEC_CRIT) ; + /sbin/pidof -> $(SEC_CRIT) ; + /sbin/poweroff -> $(SEC_CRIT) ; + /sbin/quotaoff -> $(SEC_CRIT) ; + /sbin/raid0run -> $(SEC_CRIT) ; + /sbin/raidhotadd -> $(SEC_CRIT) ; + #/sbin/raidhotgenerateerror -> $(SEC_CRIT) ; + /sbin/raidhotremove -> $(SEC_CRIT) ; + /sbin/raidstop -> $(SEC_CRIT) ; + /sbin/rdump -> $(SEC_CRIT) ; + /sbin/rdump.static -> $(SEC_CRIT) ; + /sbin/reboot -> $(SEC_CRIT) ; + /sbin/rmmod -> $(SEC_CRIT) ; + /sbin/rrestore -> $(SEC_CRIT) ; + /sbin/rrestore.static -> $(SEC_CRIT) ; + /sbin/swapoff -> $(SEC_CRIT) ; + /sbin/telinit -> $(SEC_CRIT) ; + #/sbin/userconf -> $(SEC_CRIT) ; + #/sbin/uucpconf -> $(SEC_CRIT) ; + #/sbin/vregistry -> $(SEC_CRIT) ; + /bin/awk -> $(SEC_CRIT) ; + /bin/bash2 -> $(SEC_CRIT) ; + /bin/bsh -> $(SEC_CRIT) ; + /bin/csh -> $(SEC_CRIT) ; + /bin/dnsdomainname -> $(SEC_CRIT) ; + /bin/domainname -> $(SEC_CRIT) ; + /bin/ex -> $(SEC_CRIT) ; + /bin/gtar -> $(SEC_CRIT) ; + /bin/nisdomainname -> $(SEC_CRIT) ; + /bin/red -> $(SEC_CRIT) ; + /bin/rvi -> $(SEC_CRIT) ; + /bin/rview -> $(SEC_CRIT) ; + /bin/view -> $(SEC_CRIT) ; + /bin/ypdomainname -> $(SEC_CRIT) ; +} + + +# Temporary directories. + +( + rulename = "Temporary directories", + recurse = false, + severity = $(SIG_LOW) +) +{ + /usr/tmp -> $(SEC_INVARIANT) ; + /var/tmp -> $(SEC_INVARIANT) ; + /tmp -> $(SEC_INVARIANT) ; +} + + +# Local files. + +( + rulename = "User binaries", + severity = $(SIG_MED) +) +{ + /sbin -> $(SEC_BIN) (recurse = 1) ; + /usr/bin -> $(SEC_BIN) (recurse = 1) ; + /usr/sbin -> $(SEC_BIN) (recurse = 1) ; + /usr/local/bin -> $(SEC_BIN) (recurse = 1) ; +} + +( + rulename = "Shell Binaries", + severity = $(SIG_HI) +) +{ + /bin/bash -> $(SEC_BIN) ; + /bin/ksh -> $(SEC_BIN) ; + #/bin/psh -> $(SEC_BIN) ; # legacy + #/bin/Rsh -> $(SEC_BIN) ; # legacy + /bin/sh -> $(SEC_BIN) ; + #/bin/shell -> $(SEC_SUID) ; # legacy + #/bin/tsh -> $(SEC_BIN) ; # legacy + /bin/tcsh -> $(SEC_BIN) ; + /sbin/nologin -> $(SEC_BIN) ; +} + +( + rulename = "Security Control", + severity = $(SIG_HI) +) +{ + /etc/group -> $(SEC_CRIT) ; + /etc/security -> $(SEC_CRIT) ; + #/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists +} + +#( +# rulename = "Boot Scripts", +# severity = $(SIG_HI) +#) +#{ +# /etc/rc -> $(SEC_CONFIG) ; +# /etc/rc.bsdnet -> $(SEC_CONFIG) ; +# /etc/rc.dt -> $(SEC_CONFIG) ; +# /etc/rc.net -> $(SEC_CONFIG) ; +# /etc/rc.net.serial -> $(SEC_CONFIG) ; +# /etc/rc.nfs -> $(SEC_CONFIG) ; +# /etc/rc.powerfail -> $(SEC_CONFIG) ; +# /etc/rc.tcpip -> $(SEC_CONFIG) ; +# /etc/trcfmt.Z -> $(SEC_CONFIG) ; +#} + +( + rulename = "Login Scripts", + severity = $(SIG_HI) +) +{ + /etc/bashrc -> $(SEC_CONFIG) ; + /etc/csh.cshrc -> $(SEC_CONFIG) ; + /etc/csh.login -> $(SEC_CONFIG) ; + /etc/inputrc -> $(SEC_CONFIG) ; + #/etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists + /etc/profile -> $(SEC_CONFIG) ; +} + + +# Libraries +( + rulename = "Libraries", + severity = $(SIG_MED) +) +{ + /usr/lib -> $(SEC_BIN) ; + /usr/local/lib -> $(SEC_BIN) ; + /usr/lib64 -> $(SEC_BIN) ; + /usr/local/lib64 -> $(SEC_BIN) ; +} + + +# Critical System Boot Files. +# These files are critical to a correct system boot. + +( + rulename = "Critical system boot files", + severity = $(SIG_HI) +) +{ + /boot -> $(SEC_CRIT) ; + #/sbin/devfsd -> $(SEC_CRIT) ; + /sbin/grub -> $(SEC_CRIT) ; + /sbin/grub-install -> $(SEC_CRIT) ; + /sbin/grub-md5-crypt -> $(SEC_CRIT) ; + /sbin/installkernel -> $(SEC_CRIT) ; + /sbin/lilo -> $(SEC_CRIT) ; + /sbin/mkkerneldoth -> $(SEC_CRIT) ; + !/boot/System.map ; + !/boot/module-info ; + /usr/share/grub/i386-redhat/e2fs_stage1_5 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/fat_stage1_5 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/ffs_stage1_5 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/minix_stage1_5 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/reiserfs_stage1_5 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/stage1 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/stage2 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/vstafs_stage1_5 -> $(SEC_CRIT) ; + # other boot files may exist. Look for: + #/ufsboot -> $(SEC_CRIT) ; +} + + # These files change every time the system boots. + +( + rulename = "System boot changes", + severity = $(SIG_HI) +) +{ + !/var/run/ftp.pids-all ; # Comes and goes on reboot. + !/root/.enlightenment ; + /dev/log -> $(SEC_CONFIG) ; + /dev/cua0 -> $(SEC_CONFIG) ; + #/dev/printer -> $(SEC_CONFIG) ; # legacy + /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. + /dev/tty1 -> $(SEC_CONFIG) ; # tty devices + /dev/tty2 -> $(SEC_CONFIG) ; # tty devices + /dev/tty3 -> $(SEC_CONFIG) ; # are extremely + /dev/tty4 -> $(SEC_CONFIG) ; # variable + /dev/tty5 -> $(SEC_CONFIG) ; + /dev/tty6 -> $(SEC_CONFIG) ; + /dev/urandom -> $(SEC_CONFIG) ; + /dev/initctl -> $(SEC_CONFIG) ; + /var/lock/subsys -> $(SEC_CONFIG) ; + #/var/lock/subsys/amd -> $(SEC_CONFIG) ; + #/var/lock/subsys/anacron -> $(SEC_CONFIG) ; + /var/lock/subsys/apmd -> $(SEC_CONFIG) ; + #/var/lock/subsys/arpwatch -> $(SEC_CONFIG) ; + /var/lock/subsys/atd -> $(SEC_CONFIG) ; + #/var/lock/subsys/autofs -> $(SEC_CONFIG) ; + #/var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ; + #/var/lock/subsys/bgpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/bootparamd -> $(SEC_CONFIG) ; + /var/lock/subsys/canna -> $(SEC_CONFIG) ; + /var/lock/subsys/crond -> $(SEC_CONFIG) ; + #/var/lock/subsys/cWnn -> $(SEC_CONFIG) ; + #/var/lock/subsys/dhcpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/firewall -> $(SEC_CONFIG) ; + #/var/lock/subsys/freeWnn -> $(SEC_CONFIG) ; + #/var/lock/subsys/gated -> $(SEC_CONFIG) ; + /var/lock/subsys/gpm -> $(SEC_CONFIG) ; + #/var/lock/subsys/httpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/identd -> $(SEC_CONFIG) ; + #/var/lock/subsys/innd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ipchains -> $(SEC_CONFIG) ; # legacy + /var/lock/subsys/iptables -> $(SEC_CONFIG) ; + #/var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ; + #/var/lock/subsys/irda -> $(SEC_CONFIG) ; + #/var/lock/subsys/iscsi -> $(SEC_CONFIG) ; + #/var/lock/subsys/isdn -> $(SEC_CONFIG) ; + #/var/lock/subsys/junkbuster -> $(SEC_CONFIG) ; # legacy + #/var/lock/subsys/kadmin -> $(SEC_CONFIG) ; + #/var/lock/subsys/keytable -> $(SEC_CONFIG) ; + #/var/lock/subsys/kprop -> $(SEC_CONFIG) ; + #/var/lock/subsys/krb524 -> $(SEC_CONFIG) ; + #/var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ; + /var/lock/subsys/kudzu -> $(SEC_CONFIG) ; + #/var/lock/subsys/kWnn -> $(SEC_CONFIG) ; + #/var/lock/subsys/ldap -> $(SEC_CONFIG) ; + #/var/lock/subsys/linuxconf -> $(SEC_CONFIG) ; # legacy + #/var/lock/subsys/lpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ; + #/var/lock/subsys/mcserv -> $(SEC_CONFIG) ; + #/var/lock/subsys/mysqld -> $(SEC_CONFIG) ; + #/var/lock/subsys/named -> $(SEC_CONFIG) ; + /var/lock/subsys/netfs -> $(SEC_CONFIG) ; + /var/lock/subsys/network -> $(SEC_CONFIG) ; + #/var/lock/subsys/nfs -> $(SEC_CONFIG) ; + /var/lock/subsys/nfslock -> $(SEC_CONFIG) ; + #/var/lock/subsys/nscd -> $(SEC_CONFIG) ; + /var/lock/subsys/ntpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ospf6d -> $(SEC_CONFIG) ; + #/var/lock/subsys/ospfd -> $(SEC_CONFIG) ; + #/var/lock/subsys/pcmcia -> $(SEC_CONFIG) ; + /var/lock/subsys/portmap -> $(SEC_CONFIG) ; + #/var/lock/subsys/postgresql -> $(SEC_CONFIG) ; + #/var/lock/subsys/pxe -> $(SEC_CONFIG) ; + #/var/lock/subsys/radvd -> $(SEC_CONFIG) ; + /var/lock/subsys/random -> $(SEC_CONFIG) ; + #/var/lock/subsys/rarpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/reconfig -> $(SEC_CONFIG) ; + #/var/lock/subsys/rhnsd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ripd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ripngd -> $(SEC_CONFIG) ; + #/var/lock/subsys/routed -> $(SEC_CONFIG) ; + #/var/lock/subsys/rstatd -> $(SEC_CONFIG) ; + #/var/lock/subsys/rusersd -> $(SEC_CONFIG) ; + #/var/lock/subsys/rwalld -> $(SEC_CONFIG) ; + #/var/lock/subsys/rwhod -> $(SEC_CONFIG) ; + /var/lock/subsys/sendmail -> $(SEC_CONFIG) ; + #/var/lock/subsys/smb -> $(SEC_CONFIG) ; + #/var/lock/subsys/snmpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/squid -> $(SEC_CONFIG) ; + /var/lock/subsys/sshd -> $(SEC_CONFIG) ; + /var/lock/subsys/syslog -> $(SEC_CONFIG) ; + #/var/lock/subsys/tux -> $(SEC_CONFIG) ; + #/var/lock/subsys/tWnn -> $(SEC_CONFIG) ; + #/var/lock/subsys/ups -> $(SEC_CONFIG) ; + #/var/lock/subsys/vncserver -> $(SEC_CONFIG) ; + #/var/lock/subsys/wine -> $(SEC_CONFIG) ; + /var/lock/subsys/xfs -> $(SEC_CONFIG) ; + /var/lock/subsys/xinetd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ypbind -> $(SEC_CONFIG) ; + #/var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ypserv -> $(SEC_CONFIG) ; + #/var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ; + #/var/lock/subsys/zebra -> $(SEC_CONFIG) ; + /var/run -> $(SEC_CONFIG) ; + /var/log -> $(SEC_CONFIG) ; + #/etc/ioctl.save -> $(SEC_CONFIG) ; + /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes + /etc/issue -> $(SEC_CONFIG) ; + /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount + /lib/modules -> $(SEC_CONFIG) ; + /etc/.pwd.lock -> $(SEC_CONFIG) ; + #/lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists +} + +# These files change the behavior of the root account +( + rulename = "Root config files", + severity = 100 +) +{ + /root -> $(SEC_CRIT) ; # Catch all additions to /root + /root/.Xresources -> $(SEC_CONFIG) ; + /root/.bashrc -> $(SEC_CONFIG) ; + /root/.bash_profile -> $(SEC_CONFIG) ; + /root/.bash_logout -> $(SEC_CONFIG) ; + /root/.cshrc -> $(SEC_CONFIG) ; + /root/.tcshrc -> $(SEC_CONFIG) ; + #/root/Mail -> $(SEC_CONFIG) ; + #/root/mail -> $(SEC_CONFIG) ; + #/root/.amandahosts -> $(SEC_CONFIG) ; + #/root/.addressbook.lu -> $(SEC_CONFIG) ; + #/root/.addressbook -> $(SEC_CONFIG) ; + /root/.bash_history -> $(SEC_CONFIG) ; + #/root/.elm -> $(SEC_CONFIG) ; + /root/.esd_auth -> $(SEC_CONFIG) ; + #/root/.gnome_private -> $(SEC_CONFIG) ; + #/root/.gnome-desktop -> $(SEC_CONFIG) ; + /root/.gnome -> $(SEC_CONFIG) ; + /root/.ICEauthority -> $(SEC_CONFIG) ; + #/root/.mc -> $(SEC_CONFIG) ; + #/root/.pinerc -> $(SEC_CONFIG) ; + #/root/.sawfish -> $(SEC_CONFIG) ; + /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login + #/root/.xauth -> $(SEC_CONFIG) ; + #/root/.xsession-errors -> $(SEC_CONFIG) ; +} + +# Critical configuration files. + +( + rulename = "Critical configuration files", + severity = $(SIG_HI) +) +{ + #/etc/conf.linuxconf -> $(SEC_BIN) ; # legacy + /etc/crontab -> $(SEC_BIN) ; + /etc/cron.hourly -> $(SEC_BIN) ; + /etc/cron.daily -> $(SEC_BIN) ; + /etc/cron.weekly -> $(SEC_BIN) ; + /etc/cron.monthly -> $(SEC_BIN) ; + /etc/default -> $(SEC_BIN) ; + /etc/fstab -> $(SEC_BIN) ; + /etc/exports -> $(SEC_BIN) ; + /etc/group- -> $(SEC_BIN) ; # changes should be infrequent + /etc/host.conf -> $(SEC_BIN) ; + /etc/hosts.allow -> $(SEC_BIN) ; + /etc/hosts.deny -> $(SEC_BIN) ; + /etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent + /etc/protocols -> $(SEC_BIN) ; + /etc/services -> $(SEC_BIN) ; + /etc/rc.d/init.d -> $(SEC_BIN) ; + /etc/rc.d -> $(SEC_BIN) ; + /etc/mail.rc -> $(SEC_BIN) ; + /etc/modules.conf -> $(SEC_BIN) ; # post 2.6 legacy + #/etc/modprobe.conf -> $(SEC_BIN) ; # include this for 2.6 kernels + /etc/motd -> $(SEC_BIN) ; + /etc/named.conf -> $(SEC_BIN) ; + /etc/passwd -> $(SEC_CONFIG) ; + /etc/passwd- -> $(SEC_CONFIG) ; + /etc/profile.d -> $(SEC_BIN) ; + /var/lib/nfs/rmtab -> $(SEC_BIN) ; + /usr/sbin/fixrmtab -> $(SEC_BIN) ; + /etc/rpc -> $(SEC_BIN) ; + /etc/sysconfig -> $(SEC_BIN) ; + /etc/samba/smb.conf -> $(SEC_CONFIG) ; + #/etc/gettydefs -> $(SEC_BIN) ; + /etc/nsswitch.conf -> $(SEC_BIN) ; + /etc/yp.conf -> $(SEC_BIN) ; + /etc/hosts -> $(SEC_CONFIG) ; + /etc/xinetd.conf -> $(SEC_CONFIG) ; + /etc/inittab -> $(SEC_CONFIG) ; + /etc/resolv.conf -> $(SEC_CONFIG) ; + /etc/syslog.conf -> $(SEC_CONFIG) ; +} + +# Critical devices. + +( + rulename = "Critical devices", + severity = $(SIG_HI), + recurse = false +) +{ + /dev/kmem -> $(Device) ; + /dev/mem -> $(Device) ; + /dev/null -> $(Device) ; + /dev/zero -> $(Device) ; + /proc/devices -> $(Device) ; + /proc/net -> $(Device) ; + /proc/sys -> $(Device) ; + /proc/cpuinfo -> $(Device) ; + /proc/modules -> $(Device) ; + /proc/mounts -> $(Device) ; + /proc/dma -> $(Device) ; + /proc/filesystems -> $(Device) ; + /proc/pci -> $(Device) ; + /proc/interrupts -> $(Device) ; + /proc/driver/rtc -> $(Device) ; + /proc/ioports -> $(Device) ; + /proc/scsi -> $(Device) ; + /proc/kcore -> $(Device) ; + /proc/self -> $(Device) ; + /proc/kmsg -> $(Device) ; + /proc/stat -> $(Device) ; + /proc/ksyms -> $(Device) ; + /proc/loadavg -> $(Device) ; + /proc/uptime -> $(Device) ; + /proc/locks -> $(Device) ; + /proc/version -> $(Device) ; + /proc/mdstat -> $(Device) ; + /proc/meminfo -> $(Device) ; + /proc/cmdline -> $(Device) ; + /proc/misc -> $(Device) ; +} + +# Rest of critical system binaries +( + rulename = "OS executables and libraries", + severity = $(SIG_HI) +) +{ + /bin -> $(SEC_BIN) ; + /lib -> $(SEC_BIN) ; +} + +# disabled-entries: 184 + +# license: +#============================================================================= +# +# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, +# Inc. in the United States and other countries. All rights reserved. +# +# Linux is a registered trademark of Linus Torvalds. +# +# UNIX is a registered trademark of The Open Group. +# +#============================================================================= +# +# Permission is granted to make and distribute verbatim copies of this document +# provided the copyright notice and this permission notice are preserved on all +# copies. +# +# Permission is granted to copy and distribute modified versions of this +# document under the conditions for verbatim copying, provided that the entire +# resulting derived work is distributed under the terms of a permission notice +# identical to this one. +# +# Permission is granted to copy and distribute translations of this document +# into another language, under the above conditions for modified versions, +# except that this permission notice may be stated in a translation approved by +# Tripwire, Inc. +# +# DCM