Gitiles
Code Review Sign In
gerrit.openbmc.org / mdmillerii / openbmc / fc78c49fdc03cda04ed900f675a7d549c5cd3780 / . / meta-security / recipes-ids / tripwire / files / twinstall.sh
blob: 7d1b63fe5bcc50801059954a41f0dd3d85b0a33a [file] [log] [blame]
Richard Marian Thomaiyar14fddef2018-07-13 23:55:56 +0530[diff] [blame]1#!/bin/sh
2
3########################################################################
4########################################################################
5##
6## Tripwire(R) 2.3 for LINUX(R) Post-RPM installation script
7##
8## Copyleft information contained in footer
9##
10########################################################################
11########################################################################
12
13##=======================================================
14## Setup
15##=======================================================
16
17# We can assume all the correct tools are in place because the
18# RPM installed, didn't it?
19
20##-------------------------------------------------------
21## Set HOST_NAME variable
22##-------------------------------------------------------
23HOST_NAME='localhost'
24if uname -n > /dev/null 2> /dev/null ; then
25 HOST_NAME=`uname -n`
26fi
27
28##-------------------------------------------------------
29## Program variables - edited by RPM during initial install
30##-------------------------------------------------------
31
32# Site Passphrase variable
33TW_SITE_PASS="tripwire"
34
35# Complete path to site key
36SITE_KEY="/etc/tripwire/site.key"
37
38# Local Passphrase variable
39TW_LOCAL_PASS="tripwire"
40
41# Complete path to local key
42LOCAL_KEY="/etc/tripwire/${HOST_NAME}-local.key"
43
44# If clobber==true, overwrite files; if false, do not overwrite files.
45CLOBBER="false"
46
47# If prompt==true, ask for confirmation before continuing with install.
48PROMPT="true"
49
50# Name of twadmin executeable
51TWADMIN="twadmin"
52
53# Path to twadmin executeable
54TWADMPATH=/usr/sbin
55
56# Path to configuration directory
57CONF_PATH="/etc/tripwire"
58
59# Name of clear text policy file
60TXT_POL=$CONF_PATH/twpol.txt
61
62# Name of clear text configuration file
63TXT_CFG=$CONF_PATH/twcfg.txt
64
65# Name of encrypted configuration file
66CONFIG_FILE=$CONF_PATH/tw.cfg
67
68# Path of the final Tripwire policy file (signed)
69SIGNED_POL=`grep POLFILE $TXT_CFG | sed -e 's/^.*=\(.*\)/\1/'`
70
71
72##=======================================================
73## Create Key Files
74##=======================================================
75
76##-------------------------------------------------------
77## If user has to enter a passphrase, give some
78## advice about what is appropriate.
79##-------------------------------------------------------
80
81if [ -z "$TW_SITE_PASS" ] || [ -z "$TW_LOCAL_PASS" ]; then
82cat << END_OF_TEXT
83
84----------------------------------------------
85The Tripwire site and local passphrases are used to
86sign a variety of files, such as the configuration,
87policy, and database files.
88
89Passphrases should be at least 8 characters in length
90and contain both letters and numbers.
91
92See the Tripwire manual for more information.
93END_OF_TEXT
94fi
95
96##=======================================================
97## Generate keys.
98##=======================================================
99
100echo
101echo "----------------------------------------------"
102echo "Creating key files..."
103
104##-------------------------------------------------------
105## Site key file.
106##-------------------------------------------------------
107
108# If clobber is true, and prompting is off (unattended operation)
109# and the key file already exists, remove it. Otherwise twadmin
110# will prompt with an "are you sure?" message.
111
112if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$SITE_KEY" ] ; then
113 rm -f "$SITE_KEY"
114fi
115
116if [ -f "$SITE_KEY" ] && [ "$CLOBBER" = "false" ] ; then
117 echo "The site key file \"$SITE_KEY\""
118 echo 'exists and will not be overwritten.'
119else
120 cmdargs="--generate-keys --site-keyfile \"$SITE_KEY\""
121 if [ -n "$TW_SITE_PASS" ] ; then
122 cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
123 fi
124 eval "\"$TWADMPATH/$TWADMIN\" $cmdargs"
125 if [ $? -ne 0 ] ; then
126 echo "Error: site key generation failed"
127 exit 1
128 else chmod 640 "$SITE_KEY"
129 fi
130fi
131
132##-------------------------------------------------------
133## Local key file.
134##-------------------------------------------------------
135
136# If clobber is true, and prompting is off (unattended operation)
137# and the key file already exists, remove it. Otherwise twadmin
138# will prompt with an "are you sure?" message.
139
140if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$LOCAL_KEY" ] ; then
141 rm -f "$LOCAL_KEY"
142fi
143
144if [ -f "$LOCAL_KEY" ] && [ "$CLOBBER" = "false" ] ; then
145 echo "The site key file \"$LOCAL_KEY\""
146 echo 'exists and will not be overwritten.'
147else
148 cmdargs="--generate-keys --local-keyfile \"$LOCAL_KEY\""
149 if [ -n "$TW_LOCAL_PASS" ] ; then
150 cmdargs="$cmdargs --local-passphrase \"$TW_LOCAL_PASS\""
151 fi
152 eval "\"$TWADMPATH/$TWADMIN\" $cmdargs"
153 if [ $? -ne 0 ] ; then
154 echo "Error: local key generation failed"
155 exit 1
156 else chmod 640 "$LOCAL_KEY"
157 fi
158fi
159
160##=======================================================
161## Sign the Configuration File
162##=======================================================
163
164echo
165echo "----------------------------------------------"
166echo "Signing configuration file..."
167
168##-------------------------------------------------------
169## If noclobber, then backup any existing config file.
170##-------------------------------------------------------
171
172if [ "$CLOBBER" = "false" ] && [ -s "$CONFIG_FILE" ] ; then
173 backup="${CONFIG_FILE}.$$.bak"
174 echo "Backing up $CONFIG_FILE"
175 echo " to $backup"
176 `mv "$CONFIG_FILE" "$backup"`
177 if [ $? -ne 0 ] ; then
178 echo "Error: backup of configuration file failed."
179 exit 1
180 fi
181fi
182
183##-------------------------------------------------------
184## Build command line.
185##-------------------------------------------------------
186
187cmdargs="--create-cfgfile"
188cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\""
189cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\""
190if [ -n "$TW_SITE_PASS" ] ; then
191 cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
192fi
193
194##-------------------------------------------------------
195## Sign the file.
196##-------------------------------------------------------
197
198eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_CFG\""
199if [ $? -ne 0 ] ; then
200 echo "Error: signing of configuration file failed."
201 exit 1
202fi
203
204# Set the rights properly
205chmod 640 "$CONFIG_FILE"
206
207##-------------------------------------------------------
208## We keep the cleartext version around.
209##-------------------------------------------------------
210
211cat << END_OF_TEXT
212
213A clear-text version of the Tripwire configuration file
214$TXT_CFG
215has been preserved for your inspection. It is recommended
216that you delete this file manually after you have examined it.
217
218END_OF_TEXT
219
220##=======================================================
221## Sign tripwire policy file.
222##=======================================================
223
224echo
225echo "----------------------------------------------"
226echo "Signing policy file..."
227
228##-------------------------------------------------------
229## If noclobber, then backup any existing policy file.
230##-------------------------------------------------------
231
232if [ "$CLOBBER" = "false" ] && [ -s "$POLICY_FILE" ] ; then
233 backup="${POLICY_FILE}.$$.bak"
234 echo "Backing up $POLICY_FILE"
235 echo " to $backup"
236 mv "$POLICY_FILE" "$backup"
237 if [ $? -ne 0 ] ; then
238 echo "Error: backup of policy file failed."
239 exit 1
240 fi
241fi
242
243##-------------------------------------------------------
244## Build command line.
245##-------------------------------------------------------
246
247cmdargs="--create-polfile"
248cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\""
249cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\""
250if [ -n "$TW_SITE_PASS" ] ; then
251 cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
252fi
253
254##-------------------------------------------------------
255## Sign the file.
256##-------------------------------------------------------
257
258eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_POL\""
259if [ $? -ne 0 ] ; then
260 echo "Error: signing of policy file failed."
261 exit 1
262fi
263
264# Set the proper rights on the newly signed policy file.
265chmod 0640 "$SIGNED_POL"
266
267##-------------------------------------------------------
268## We keep the cleartext version around.
269##-------------------------------------------------------
270
271cat << END_OF_TEXT
272
273A clear-text version of the Tripwire policy file
274$TXT_POL
275has been preserved for your inspection. This implements
276a minimal policy, intended only to test essential
277Tripwire functionality. You should edit the policy file
278to describe your system, and then use twadmin to generate
279a new signed copy of the Tripwire policy.
280
281END_OF_TEXT
282
283# Initialize tripwire database
284/usr/sbin/tripwire --init --cfgfile $CONFIG_FILE --site-keyfile $SITE_KEY \
285--local-passphrase $TW_LOCAL_PASS 2> /dev/null
286
287########################################################################
288########################################################################
289#
290# TRIPWIRE GPL NOTICES
291#
292# The developer of the original code and/or files is Tripwire, Inc.
293# Portions created by Tripwire, Inc. are copyright 2000 Tripwire, Inc.
294# Tripwire is a registered trademark of Tripwire, Inc. All rights reserved.
295#
296# This program is free software. The contents of this file are subject to
297# the terms of the GNU General Public License as published by the Free
298# Software Foundation; either version 2 of the License, or (at your option)
299# any later version. You may redistribute it and/or modify it only in
300# compliance with the GNU General Public License.
301#
302# This program is distributed in the hope that it will be useful. However,
303# this program is distributed "AS-IS" WITHOUT ANY WARRANTY; INCLUDING THE
304# IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
305# Please see the GNU General Public License for more details.
306#
307# You should have received a copy of the GNU General Public License along
308# with this program; if not, write to the Free Software Foundation, Inc.,
309# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
310#
311# Nothing in the GNU General Public License or any other license to use the
312# code or files shall permit you to use Tripwire's trademarks,
313# service marks, or other intellectual property without Tripwire's
314# prior written consent.
315#
316# If you have any questions, please contact Tripwire, Inc. at either
317# info@tripwire.org or www.tripwire.org.
318#
319########################################################################
320########################################################################