#!/bin/sh ######################################################################## ######################################################################## ## ## Tripwire(R) 2.3 for LINUX(R) Post-RPM installation script ## ## Copyleft information contained in footer ## ######################################################################## ######################################################################## ##======================================================= ## Setup ##======================================================= # We can assume all the correct tools are in place because the # RPM installed, didn't it? ##------------------------------------------------------- ## Set HOST_NAME variable ##------------------------------------------------------- HOST_NAME='localhost' if uname -n > /dev/null 2> /dev/null ; then HOST_NAME=`uname -n` fi ##------------------------------------------------------- ## Program variables - edited by RPM during initial install ##------------------------------------------------------- # Site Passphrase variable TW_SITE_PASS="" # Complete path to site key SITE_KEY="@sysconfdir@/tripwire/site.key" # Local Passphrase variable TW_LOCAL_PASS="" # Complete path to local key LOCAL_KEY="@sysconfdir@/tripwire/${HOST_NAME}-local.key" # If clobber==true, overwrite files; if false, do not overwrite files. CLOBBER="false" # If prompt==true, ask for confirmation before continuing with install. PROMPT="true" # Name of twadmin executeable TWADMIN="twadmin" # Path to twadmin executeable TWADMPATH=@sbindir@ # Path to configuration directory CONF_PATH="@sysconfdir@/tripwire" # Name of clear text policy file TXT_POL=$CONF_PATH/twpol.txt # Name of clear text configuration file TXT_CFG=$CONF_PATH/twcfg.txt # Name of encrypted configuration file CONFIG_FILE=$CONF_PATH/tw.cfg # Path of the final Tripwire policy file (signed) SIGNED_POL=`grep POLFILE $TXT_CFG | sed -e 's/^.*=\(.*\)/\1/'` ##======================================================= ## Create Key Files ##======================================================= ##------------------------------------------------------- ## If user has to enter a passphrase, give some ## advice about what is appropriate. ##------------------------------------------------------- if [ -z "$TW_SITE_PASS" ] || [ -z "$TW_LOCAL_PASS" ]; then cat << END_OF_TEXT ---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. END_OF_TEXT fi ##======================================================= ## Generate keys. ##======================================================= echo echo "----------------------------------------------" echo "Creating key files..." ##------------------------------------------------------- ## Site key file. ##------------------------------------------------------- # If clobber is true, and prompting is off (unattended operation) # and the key file already exists, remove it. Otherwise twadmin # will prompt with an "are you sure?" message. if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$SITE_KEY" ] ; then rm -f "$SITE_KEY" fi if [ -f "$SITE_KEY" ] && [ "$CLOBBER" = "false" ] ; then echo "The site key file \"$SITE_KEY\"" echo 'exists and will not be overwritten.' else cmdargs="--generate-keys --site-keyfile \"$SITE_KEY\"" if [ -n "$TW_SITE_PASS" ] ; then cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" fi eval "\"$TWADMPATH/$TWADMIN\" $cmdargs" if [ $? -ne 0 ] ; then echo "Error: site key generation failed" exit 1 else chmod 640 "$SITE_KEY" fi fi ##------------------------------------------------------- ## Local key file. ##------------------------------------------------------- # If clobber is true, and prompting is off (unattended operation) # and the key file already exists, remove it. Otherwise twadmin # will prompt with an "are you sure?" message. if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$LOCAL_KEY" ] ; then rm -f "$LOCAL_KEY" fi if [ -f "$LOCAL_KEY" ] && [ "$CLOBBER" = "false" ] ; then echo "The local key file \"$LOCAL_KEY\"" echo 'exists and will not be overwritten.' else cmdargs="--generate-keys --local-keyfile \"$LOCAL_KEY\"" if [ -n "$TW_LOCAL_PASS" ] ; then cmdargs="$cmdargs --local-passphrase \"$TW_LOCAL_PASS\"" fi eval "\"$TWADMPATH/$TWADMIN\" $cmdargs" if [ $? -ne 0 ] ; then echo "Error: local key generation failed" exit 1 else chmod 640 "$LOCAL_KEY" fi fi ##======================================================= ## Sign the Configuration File ##======================================================= echo echo "----------------------------------------------" echo "Signing configuration file..." ##------------------------------------------------------- ## If noclobber, then backup any existing config file. ##------------------------------------------------------- if [ "$CLOBBER" = "false" ] && [ -s "$CONFIG_FILE" ] ; then backup="${CONFIG_FILE}.$$.bak" echo "Backing up $CONFIG_FILE" echo " to $backup" `mv "$CONFIG_FILE" "$backup"` if [ $? -ne 0 ] ; then echo "Error: backup of configuration file failed." exit 1 fi fi ##------------------------------------------------------- ## Build command line. ##------------------------------------------------------- cmdargs="--create-cfgfile" cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\"" cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\"" if [ -n "$TW_SITE_PASS" ] ; then cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" fi ##------------------------------------------------------- ## Sign the file. ##------------------------------------------------------- eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_CFG\"" if [ $? -ne 0 ] ; then echo "Error: signing of configuration file failed." exit 1 fi # Set the rights properly chmod 640 "$CONFIG_FILE" ##------------------------------------------------------- ## We keep the cleartext version around. ##------------------------------------------------------- cat << END_OF_TEXT A clear-text version of the Tripwire configuration file: $TXT_CFG has been preserved for your inspection. It is recommended that you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it. END_OF_TEXT ##======================================================= ## Sign tripwire policy file. ##======================================================= echo echo "----------------------------------------------" echo "Signing policy file..." ##------------------------------------------------------- ## If noclobber, then backup any existing policy file. ##------------------------------------------------------- if [ "$CLOBBER" = "false" ] && [ -s "$POLICY_FILE" ] ; then backup="${POLICY_FILE}.$$.bak" echo "Backing up $POLICY_FILE" echo " to $backup" mv "$POLICY_FILE" "$backup" if [ $? -ne 0 ] ; then echo "Error: backup of policy file failed." exit 1 fi fi ##------------------------------------------------------- ## Build command line. ##------------------------------------------------------- cmdargs="--create-polfile" cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\"" cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\"" if [ -n "$TW_SITE_PASS" ] ; then cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" fi ##------------------------------------------------------- ## Sign the file. ##------------------------------------------------------- eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_POL\"" if [ $? -ne 0 ] ; then echo "Error: signing of policy file failed." exit 1 fi # Set the proper rights on the newly signed policy file. chmod 0640 "$SIGNED_POL" ##------------------------------------------------------- ## We keep the cleartext version around. ##------------------------------------------------------- cat << END_OF_TEXT A clear-text version of the Tripwire policy file: $TXT_POL has been preserved for your inspection. This implements a minimal policy, intended only to test essential Tripwire functionality. You should edit the policy file to describe your system, and then use twadmin to generate a new signed copy of the Tripwire policy. Once you have a satisfactory Tripwire policy file, you should move the clear-text version to a secure location and/or encrypt it in place (using a tool such as GPG, for example). Now run "tripwire --init" to enter Database Initialization Mode. This reads the policy file, generates a database based on its contents, and then cryptographically signs the resulting database. Options can be entered on the command line to specify which policy, configuration, and key files are used to create the database. The filename for the database can be specified as well. If no options are specified, the default values from the current configuration file are used. END_OF_TEXT exit 0 ######################################################################## ######################################################################## # # TRIPWIRE GPL NOTICES # # The developer of the original code and/or files is Tripwire, Inc. # Portions created by Tripwire, Inc. are copyright 2000 Tripwire, Inc. # Tripwire is a registered trademark of Tripwire, Inc. All rights reserved. # # This program is free software. The contents of this file are subject to # the terms of the GNU General Public License as published by the Free # Software Foundation; either version 2 of the License, or (at your option) # any later version. You may redistribute it and/or modify it only in # compliance with the GNU General Public License. # # This program is distributed in the hope that it will be useful. However, # this program is distributed "AS-IS" WITHOUT ANY WARRANTY; INCLUDING THE # IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. # Please see the GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # # Nothing in the GNU General Public License or any other license to use the # code or files shall permit you to use Tripwire's trademarks, # service marks, or other intellectual property without Tripwire's # prior written consent. # # If you have any questions, please contact Tripwire, Inc. at either # info@tripwire.org or www.tripwire.org. # ######################################################################## ########################################################################