freedombone/src/freedombone-base-tripwire

#!/bin/bash
#
# .---.                  .              .
# |                      |              |
# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
#
#                    Freedom in the Cloud
#
# Intrusion detection application
#
# License
# =======
#
# Copyright (C) 2014-2016 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

function backup_local_tripwire {
    echo -n ''
}

function backup_remote_tripwire {
    echo -n ''
}

function remove_tripwire {
    if ! grep -Fxq "tripwire" $COMPLETION_FILE; then
        return
    fi
    apt-get -yq remove --purge tripwire
    if [ -d /etc/tripwire ]; then
        rm -rf /etc/tripwire
    fi
    rm /usr/bin/reset-tripwire
    sed -i '/tripwire/d' $COMPLETION_FILE
}

function install_tripwire {
    if [[ $(is_completed $FUNCNAME) == "1" ]]; then
        return
    fi

    echo '*** Installing intrusion detection ***'

    debconf-set-selections <<< "tripwire tripwire/use-sitekey boolean false"
    debconf-set-selections <<< "tripwire tripwire/use-localkey boolean false"

    apt-get -yq install tripwire qrencode
    apt-get -yq autoremove
    cd /etc/tripwire

    echo 'ROOT          =/usr/sbin' > /etc/tripwire/twcfg.txt
    echo 'POLFILE       =/etc/tripwire/tw.pol' >> /etc/tripwire/twcfg.txt
    echo 'DBFILE        =/var/lib/tripwire/$(HOSTNAME).twd' >> /etc/tripwire/twcfg.txt
    echo 'REPORTFILE    =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr' >> /etc/tripwire/twcfg.txt
    echo 'SITEKEYFILE   =/etc/tripwire/$(HOSTNAME)-site.key' >> /etc/tripwire/twcfg.txt
    echo 'LOCALKEYFILE  =/etc/tripwire/$(HOSTNAME)-local.key' >> /etc/tripwire/twcfg.txt
    echo 'EDITOR        =/usr/bin/editor' >> /etc/tripwire/twcfg.txt
    echo 'LATEPROMPTING =false' >> /etc/tripwire/twcfg.txt
    echo 'LOOSEDIRECTORYCHECKING =false' >> /etc/tripwire/twcfg.txt
    echo 'MAILNOVIOLATIONS =false' >> /etc/tripwire/twcfg.txt
    echo 'EMAILREPORTLEVEL =3' >> /etc/tripwire/twcfg.txt
    echo 'REPORTLEVEL   =3' >> /etc/tripwire/twcfg.txt
    echo 'SYSLOGREPORTING =false' >> /etc/tripwire/twcfg.txt
    echo 'MAILMETHOD    =SENDMAIL' >> /etc/tripwire/twcfg.txt
    echo 'MAILPROGRAM   =/usr/lib/sendmail -oi -t' >> /etc/tripwire/twcfg.txt
    echo 'SMTPHOST      =localhost' >> /etc/tripwire/twcfg.txt
    echo 'SMTPPORT      =25' >> /etc/tripwire/twcfg.txt
    echo 'TEMPDIRECTORY =/tmp' >> /etc/tripwire/twcfg.txt
    echo 'MAILFROMADDRESS =tripwire@$(HOSTNAME)' >> /etc/tripwire/twcfg.txt

    echo '

       ' | twadmin --generate-keys -L /etc/tripwire/${HOSTNAME}-local.key -S /etc/tripwire/${HOSTNAME}-site.key

    echo '

       ' | twadmin --create-cfgfile -S /etc/tripwire/${HOSTNAME}-site.key /etc/tripwire/twcfg.txt

    # make a script for easy resetting of the tripwire
    echo '#!/bin/sh' > /usr/bin/reset-tripwire
    echo 'tripwire -m i' >> /usr/bin/reset-tripwire
    chmod +x /usr/bin/reset-tripwire

    sed -i '/# These files change the behavior of the root account/,/}/ s/.*//g' /etc/tripwire/twpol.txt
    sed -i 's|/etc/rc.boot.*||g' /etc/tripwire/twpol.txt
    # Don't show any changes to /proc
    sed -i 's|/proc.*||g' /etc/tripwire/twpol.txt
    # Don't report log changes
    sed -i 's|/var/log.*||g' /etc/tripwire/twpol.txt
    # Ignore /etc/tripwire
    if ! grep -q '!/etc/tripwire' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/etc/tripwire ;' /etc/tripwire/twpol.txt
    fi
    # Ignore /etc/freedombone
    if ! grep -q '!/etc/freedombone' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/etc/freedombone ;' /etc/tripwire/twpol.txt
    fi
    # Ignore /etc/pihole
    if ! grep -q '!/etc/pihole' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/etc/pihole ;' /etc/tripwire/twpol.txt
    fi
    # ignore tt-rss cache
    if ! grep -q '!/etc/share/tt-rss/cache' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/etc/share/tt-rss/cache ;' /etc/tripwire/twpol.txt
    fi
    if ! grep -q '!/etc/share/tt-rss/lock' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/etc/share/tt-rss/lock ;' /etc/tripwire/twpol.txt
    fi
    # ignore global node modules
    if ! grep -q '!/usr/local/lib/node_modules' /etc/tripwire/twpol.txt; then
        sed -i '\|/etc\t\t->.*|a\    !/usr/local/lib/node_modules ;' /etc/tripwire/twpol.txt
    fi
    # Events here are likely due to USB HRNG activity
    if ! grep -q '!/dev/char' /etc/tripwire/twpol.txt; then
        sed -i '\|/dev\t\t->.*|a\    !/dev/char ;' /etc/tripwire/twpol.txt
    fi
    if ! grep -q '!/dev/bus/usb' /etc/tripwire/twpol.txt; then
        sed -i '\|/dev\t\t->.*|a\    !/dev/bus/usb ;' /etc/tripwire/twpol.txt
    fi

    # Not much is in /usr/local/bin other than project commands and avoiding it removes
    # problems with updates. This is a tradeoff, but not by much.
    sed -i '/\/usr\/local\/bin/d' /etc/tripwire/twpol.txt

    # Avoid logging the changed database
    sed -i 's|$(TWETC)/tw.pol.*||g' /etc/tripwire/twpol.txt
    # site key name
    sed -i 's|$(TWETC)/site.key|$(TWETC)/$(HOSTNAME)-site.key|g' /etc/tripwire/twpol.txt

    # create the policy
    echo '

       ' | twadmin --create-polfile -S /etc/tripwire/${HOSTNAME}-site.key /etc/tripwire/twpol.txt

    mark_completed $FUNCNAME
}

# NOTE: deliberately no exit 0