freedombone/src/freedombone-base-tripwire

#!/bin/bash
#
# .---.                  .              .
# |                      |              |
# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
#
#                    Freedom in the Cloud
#
# Intrusion detection application
#
# License
# =======
#
# Copyright (C) 2014-2016 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

function backup_local_tripwire {
    echo -n ''
}

function backup_remote_tripwire {
    echo -n ''
}

function remove_tripwire {
    if ! grep -Fxq "tripwire" $COMPLETION_FILE; then
        return
    fi
    apt-get -yq remove --purge tripwire
    if [ -d /etc/tripwire ]; then
        rm -rf /etc/tripwire
    fi
    rm /usr/bin/reset-tripwire
    sed -i '/tripwire/d' $COMPLETION_FILE
}

function install_tripwire {
    if [[ $(is_completed $FUNCNAME) == "1" ]]; then
        return
    fi
    apt-get -yq install tripwire
    apt-get -yq autoremove
    cd /etc/tripwire
    cp site.key $DEFAULT_DOMAIN_NAME-site.key
    echo '*** Installing intrusion detection ***'
    echo '

' | tripwire --init

    # make a script for easy resetting of the tripwire
    echo '#!/bin/sh' > /usr/bin/reset-tripwire
    echo 'tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt' >> /usr/bin/reset-tripwire
    chmod +x /usr/bin/reset-tripwire

    sed -i 's/SYSLOGREPORTING.*/SYSLOGREPORTING =false/g' /etc/tripwire/twcfg.txt
    # only send emails if something has changed
    sed -i 's|MAILNOVIOLATIONS.*|MAILNOVIOLATIONS = false|g' /etc/tripwire/twcfg.txt
    sed -i '/# These files change the behavior of the root account/,/}/ s/.*//g' /etc/tripwire/twpol.txt
    sed -i 's|/etc/rc.boot.*||g' /etc/tripwire/twpol.txt
    # Don't show any changes to /proc
    sed -i 's|/proc.*||g' /etc/tripwire/twpol.txt
    # Don't report log changes
    sed -i 's|/var/log.*||g' /etc/tripwire/twpol.txt
    # Ignore /etc/tripwire
    if ! grep -q '!/etc/tripwire' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/etc/tripwire ;' /etc/tripwire/twpol.txt
    fi
    # ignore tt-rss cache
    if ! grep -q '!/etc/share/tt-rss/cache' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/etc/share/tt-rss/cache ;' /etc/tripwire/twpol.txt
    fi
    if ! grep -q '!/etc/share/tt-rss/lock' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/etc/share/tt-rss/lock ;' /etc/tripwire/twpol.txt
    fi
    # Avoid logging the changed database
    sed -i 's|$(TWETC)/tw.pol.*||g' /etc/tripwire/twpol.txt
    # recreate the configuration
    echo '

       ' | twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
    # reset
    echo '



       ' | reset-tripwire

    mark_completed $FUNCNAME
}

# NOTE: deliberately no exit 0