#!/bin/bash
#  _____               _           _
# |   __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
# |   __|  _| -_| -_| . | . |     | . | . |   | -_|
# |__|  |_| |___|___|___|___|_|_|_|___|___|_|_|___|
#
#                              Freedom in the Cloud
#
# Intrusion detection application
#
# License
# =======
#
# Copyright (C) 2014-2018 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

function backup_local_tripwire {
    echo -n ''
}

function backup_remote_tripwire {
    echo -n ''
}

function remove_tripwire {
    if ! grep -Fxq "tripwire" "$COMPLETION_FILE"; then
        return
    fi
    apt-get -yq remove --purge tripwire
    if [ -d /etc/tripwire ]; then
        rm -rf /etc/tripwire
    fi
    rm /usr/bin/reset-tripwire
    sed -i '/tripwire/d' "$COMPLETION_FILE"
}

function install_tripwire {
    if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
        return
    fi

    echo '*** Installing intrusion detection ***'

    debconf-set-selections <<< "tripwire tripwire/use-sitekey boolean false"
    debconf-set-selections <<< "tripwire tripwire/use-localkey boolean false"

    apt-get -yq install tripwire qrencode
    apt-get -yq autoremove
    cd /etc/tripwire || exit 246852845

    { echo 'ROOT          =/usr/sbin';
      echo 'POLFILE       =/etc/tripwire/tw.pol';
      echo "DBFILE        =/var/lib/tripwire/\$(HOSTNAME).twd";
      echo "REPORTFILE    =/var/lib/tripwire/report/\$(HOSTNAME)-\$(DATE).twr";
      echo "SITEKEYFILE   =/etc/tripwire/\$(HOSTNAME)-site.key";
      echo "LOCALKEYFILE  =/etc/tripwire/\$(HOSTNAME)-local.key";
      echo 'EDITOR        =/usr/bin/editor';
      echo 'LATEPROMPTING =false';
      echo 'LOOSEDIRECTORYCHECKING =false';
      echo 'MAILNOVIOLATIONS =false';
      echo 'EMAILREPORTLEVEL =3';
      echo 'REPORTLEVEL   =3';
      echo 'SYSLOGREPORTING =false';
      echo 'MAILMETHOD    =SENDMAIL';
      echo 'MAILPROGRAM   =/usr/lib/sendmail -oi -t';
      echo 'SMTPHOST      =localhost';
      echo 'SMTPPORT      =25';
      echo 'TEMPDIRECTORY =/tmp';
      echo "MAILFROMADDRESS =tripwire@\$(HOSTNAME)"; } > /etc/tripwire/twcfg.txt

    echo '

       ' | twadmin --generate-keys -L "/etc/tripwire/${HOSTNAME}-local.key" -S "/etc/tripwire/${HOSTNAME}-site.key"

    echo '

       ' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt

    # make a script for easy resetting of the tripwire
    echo '#!/bin/sh' > /usr/bin/reset-tripwire
    echo 'tripwire -m i' >> /usr/bin/reset-tripwire
    chmod +x /usr/bin/reset-tripwire

    sed -i '/# These files change the behavior of the root account/,/}/ s/.*//g' /etc/tripwire/twpol.txt
    sed -i 's|/etc/rc.boot.*||g' /etc/tripwire/twpol.txt
    # Don't show any changes to /proc
    sed -i 's|/proc.*||g' /etc/tripwire/twpol.txt
    # Don't report log changes
    sed -i 's|/var/log.*||g' /etc/tripwire/twpol.txt
    # Ignore /etc/tripwire
    if ! grep -q '!/etc/tripwire' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/etc/tripwire ;' /etc/tripwire/twpol.txt
    fi
    # Ignore /etc/freedombone
    if ! grep -q '!/etc/freedombone' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/etc/freedombone ;' /etc/tripwire/twpol.txt
    fi
    # Ignore /etc/pihole
    if ! grep -q '!/etc/pihole' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/etc/pihole ;' /etc/tripwire/twpol.txt
    fi
    # ignore tt-rss cache
    if ! grep -q '!/etc/share/tt-rss/cache' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/etc/share/tt-rss/cache ;' /etc/tripwire/twpol.txt
    fi
    if ! grep -q '!/etc/share/tt-rss/lock' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/etc/share/tt-rss/lock ;' /etc/tripwire/twpol.txt
    fi
    # ignore global node modules
    if ! grep -q '!/usr/local/lib/node_modules' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/usr/local/lib/node_modules ;' /etc/tripwire/twpol.txt
    fi
    if ! grep -q '!/root/.npm-global/lib/node_modules' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/root/.npm-global/lib/node_modules ;' /etc/tripwire/twpol.txt
    fi
    # Events here are likely due to USB HRNG activity
    if ! grep -q '!/dev/char' /etc/tripwire/twpol.txt; then
        sed -i '\|/dev\t\t->.*|a\    !/dev/char ;' /etc/tripwire/twpol.txt
    fi
    if ! grep -q '!/dev/bus/usb' /etc/tripwire/twpol.txt; then
        sed -i '\|/dev\t\t->.*|a\    !/dev/bus/usb ;' /etc/tripwire/twpol.txt
    fi

    # Not much is in /usr/local/bin other than project commands and avoiding it removes
    # problems with updates. This is a tradeoff, but not by much.
    sed -i '/\/usr\/local\/bin/d' /etc/tripwire/twpol.txt

    # Avoid logging the changed database
    sed -i "s|\$(TWETC)/tw.pol.*||g" /etc/tripwire/twpol.txt
    # site key name
    sed -i "s|\$(TWETC)/site.key|\$(TWETC)/\$(HOSTNAME)-site.key|g" /etc/tripwire/twpol.txt

    # create the policy
    echo '

       ' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt

    mark_completed "${FUNCNAME[0]}"
}

# NOTE: deliberately no exit 0