#!/bin/bash # # .---. . . # | | | # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-' # ' ' --' --' -' - -' ' ' -' -' -' ' - --' # # Freedom in the Cloud # # Intrusion detection application # # License # ======= # # Copyright (C) 2014-2016 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . function backup_local_tripwire { echo -n '' } function backup_remote_tripwire { echo -n '' } function remove_tripwire { if ! grep -Fxq "tripwire" $COMPLETION_FILE; then return fi apt-get -yq remove --purge tripwire if [ -d /etc/tripwire ]; then rm -rf /etc/tripwire fi rm /usr/bin/reset-tripwire sed -i '/tripwire/d' $COMPLETION_FILE } function install_tripwire { if [[ $(is_completed $FUNCNAME) == "1" ]]; then return fi echo '*** Installing intrusion detection ***' debconf-set-selections <<< "tripwire tripwire/use-sitekey boolean false" debconf-set-selections <<< "tripwire tripwire/use-localkey boolean false" apt-get -yq install tripwire apt-get -yq autoremove cd /etc/tripwire echo 'ROOT =/usr/sbin' > /etc/tripwire/twcfg.txt echo 'POLFILE =/etc/tripwire/tw.pol' >> /etc/tripwire/twcfg.txt echo 'DBFILE =/var/lib/tripwire/$(HOSTNAME).twd' >> /etc/tripwire/twcfg.txt echo 'REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr' >> /etc/tripwire/twcfg.txt echo 'SITEKEYFILE =/etc/tripwire/$(HOSTNAME)-site.key' >> /etc/tripwire/twcfg.txt echo 'LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key' >> /etc/tripwire/twcfg.txt echo 'EDITOR =/usr/bin/editor' >> /etc/tripwire/twcfg.txt echo 'LATEPROMPTING =false' >> /etc/tripwire/twcfg.txt echo 'LOOSEDIRECTORYCHECKING =false' >> /etc/tripwire/twcfg.txt echo 'MAILNOVIOLATIONS =false' >> /etc/tripwire/twcfg.txt echo 'EMAILREPORTLEVEL =3' >> /etc/tripwire/twcfg.txt echo 'REPORTLEVEL =3' >> /etc/tripwire/twcfg.txt echo 'SYSLOGREPORTING =false' >> /etc/tripwire/twcfg.txt echo 'MAILMETHOD =SMTP' >> /etc/tripwire/twcfg.txt echo 'SMTPHOST =localhost' >> /etc/tripwire/twcfg.txt echo 'SMTPPORT =25' >> /etc/tripwire/twcfg.txt echo 'TEMPDIRECTORY =/tmp' >> /etc/tripwire/twcfg.txt echo ' ' | twadmin --generate-keys -L /etc/tripwire/${HOSTNAME}-local.key -S /etc/tripwire/${HOSTNAME}-site.key echo ' ' | twadmin --create-cfgfile -S /etc/tripwire/${HOSTNAME}-site.key /etc/tripwire/twcfg.txt # make a script for easy resetting of the tripwire echo '#!/bin/sh' > /usr/bin/reset-tripwire echo 'tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt' >> /usr/bin/reset-tripwire chmod +x /usr/bin/reset-tripwire sed -i '/# These files change the behavior of the root account/,/}/ s/.*//g' /etc/tripwire/twpol.txt sed -i 's|/etc/rc.boot.*||g' /etc/tripwire/twpol.txt # Don't show any changes to /proc sed -i 's|/proc.*||g' /etc/tripwire/twpol.txt # Don't report log changes sed -i 's|/var/log.*||g' /etc/tripwire/twpol.txt # Ignore /etc/tripwire if ! grep -q '!/etc/tripwire' /etc/tripwire/twpol.txt; then sed -i '\|/etc\t\t->.*|a\ !/etc/tripwire ;' /etc/tripwire/twpol.txt fi if ! grep -q '!/etc/pihole' /etc/tripwire/twpol.txt; then sed -i '\|/etc\t\t->.*|a\ !/etc/pihole ;' /etc/tripwire/twpol.txt fi # ignore tt-rss cache if ! grep -q '!/etc/share/tt-rss/cache' /etc/tripwire/twpol.txt; then sed -i '\|/etc\t\t->.*|a\ !/etc/share/tt-rss/cache ;' /etc/tripwire/twpol.txt fi if ! grep -q '!/etc/share/tt-rss/lock' /etc/tripwire/twpol.txt; then sed -i '\|/etc\t\t->.*|a\ !/etc/share/tt-rss/lock ;' /etc/tripwire/twpol.txt fi # Avoid logging the changed database sed -i 's|$(TWETC)/tw.pol.*||g' /etc/tripwire/twpol.txt # create the policy echo ' ' | twadmin --create-polfile -S /etc/tripwire/${HOSTNAME}-site.key /etc/tripwire/twpol.txt # create the database echo ' ' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile /var/lib/tripwire/${HOSTNAME}.twd if [ ! -f /var/lib/tripwire/${HOSTNAME}.twd ]; then echo $'tripwire database was not created' exit 72925 fi # recreate the configuration echo ' ' | reset-tripwire mark_completed $FUNCNAME } # NOTE: deliberately no exit 0