Merge branch 'master' into dev/aros

2016-04-03 20:35:41 -07:00 · 2016-04-03 20:35:41 -07:00 · 0256caa576
parent 5e5cf96bf5 1ee24a68bd
commit 0256caa576
23 changed files with 2582 additions and 12 deletions
--- a/8
+++ b/8
@ -7,12 +7,18 @@
 	* Fix handling of SHA hashes (with and without OpenSSL hash impl.)
 	* Update GNU config.guess & config.sub to current versions
 	* Compilation fixes for various and sundry Posix-esque platforms
-	(Mac OS X, OpenBSD, OpenSolaris, Cygwin, Minix 3.x, GNU/Hurd, MidnightBSD, Haiku, Syllable, SkyOS)  
+	(Mac OS X, OpenBSD, OpenSolaris, Cygwin, Minix 3.x, GNU/Hurd, MidnightBSD, Haiku, Syllable, SkyOS, Sortix)  
 	* Added script to bump buildys file timestaps, to fix 
 	spurious aclocal/automake errors on a fresh clone/untar/etc.
 	* Update 'make dist' to bundle manpages & policy files
 	* Replace broken RPM spec w/ 'Packaging' doc that explains where to get packaging stuff.
+	* Add contributed files from 2.4.2.3 fork (see below)
 	
+2014-01-01 Barry Allard <barry.allard@gmail.com>
+
+	* Bumping version to 2.4.2.3
+	* Fixed compilation on clang and gcc compilers
+
 2011-11-21 Stephane Dudzinski <tripwire@frlinux.net>

 	* Bumping version to 2.4.2.2
--- a/2
+++ b/2
@ -10,6 +10,8 @@ itripn@users.sourceforge.net

 Community Contributors:

+Thom O'Connor (https://github.com/thomoco): Contributed LLVM/clang build fixes.
+
 Paul Herman (www.frenchfries.net/paul/tripwire): Paul is almost solely
 responsible for the meat of the 2.4.0.1 release. His work on the autoconf
 and gcc 3.x support (among other things) has contributed to a much more
--- a/8
+++ b/8
@ -1,6 +1,10 @@
 Packaging for Open Source Tripwire is maintained by various third parties:

- * RPM: http://pkgs.fedoraproject.org/cgit/rpms/tripwire.git/
+ * RPM (Fedora): http://pkgs.fedoraproject.org/cgit/rpms/tripwire.git/
+ 
+ * RPM (OpenSuSE): https://build.opensuse.org/package/show/security/tripwire
+
+ * RPM (AIX): http://www.perzl.org/aix/index.php?n=Main.Tripwire 

 * Debian: https://tracker.debian.org/pkg/tripwire

@ -10,6 +14,8 @@ Packaging for Open Source Tripwire is maintained by various third parties:

 * FreshPorts (BSD): http://www.freshports.org/security/tripwire

+ * MacPorts: https://trac.macports.org/browser/trunk/dports/security/tripwire
+
 * NetBSD pkgsrc: http://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/security/tripwire/README.html
   NOTE: At present (March 2016), NetBSD provides the ancient Tripwire 1.2, from the mid-1990s.
         That version lacks contemporary hash algorithms, and you probably don't want to use it.
--- a/ReadMe-2.4.3
+++ b/ReadMe-2.4.3
@ -26,6 +26,7 @@ Linuxes
 - CentOS 7 (amd64) + gcc 4.8.5
 - Ubuntu 14.0.4 (amd64) + gcc 4.x
 - RHEL 3.4 (Itanium) + gcc 3.4.3
+- Android 6.0 + gcc 4.9

 OSX
 - Mac OS X 10.11 + LLVM 7.0.2 / clang-700.1.81
@ -47,4 +48,17 @@ Other
 - Haiku R1 Alpha 4 + gcc 4
 - Syllable 0.67 + gcc 4.1.2
 - SkyOS 5 (beta 6947) + gcc 4.1.1
+- Sortix 1.0 + gcc 5.3.0
+
+
+Building Notes:
+
+* If cross compiling, a --disable-openssl argument must be passed to ./configure,
+since its OpenSSL existence check currently uses an AC_TRY_RUN macro.
+
+* Recent Android versions may require additional compiler & linker arguments:  
+“-fPIE" in CFLAGS and "-fPIE -pie" in LDFLAGS.  It's simplest to add these
+to configure.in and run autoreconf -i instead of hand-editing each Makefile 
+individually.
+ 

--- a/autogen.sh
+++ b/autogen.sh
--- a/autogen.sh.README
+++ b/autogen.sh.README
@ -0,0 +1,67 @@
+a u t o g e n . s h
+"also known as buildconf"
+http://buildconf.brlcad.org
+
+
+INTRODUCTION
+============
+
+The autogen.sh script provides automatic build system preparation for
+projects that use the GNU Autotools build system.  In brief, the
+script is a drop-in replacement for running 'autoreconf' while
+detecting and cleanly reporting on a variety of common configuration
+issues.
+
+The script does a lot more than 'autoreconf' can, though, accounting
+for a lot of common issues, bugs, and misconfiguration problems that
+would otherwise be problems passed on to your users.  Unlike the
+philosophy of some of the GNU developers, the autogen.sh script helps
+make things "just work" a little better without imposing unnecessary
+burden on your users.
+
+
+INSTALLING
+==========
+
+To install the script, simply copy the script into your source
+repository and run it:
+
+sh autogen.sh
+
+
+RUNNING
+=======
+
+The AUTORECONF, AUTOCONF, AUTOMAKE, LIBTOOLIZE, ACLOCAL, AUTOHEADER
+environment variables and corresponding _OPTIONS variables (e.g.
+AUTORECONF_OPTIONS) may be used to override the default automatic
+detection behaviors.  Similarly the _VERSION variables will override
+the minimum required version numbers.  Otherwise, you can edit the
+script directly to set minimum version numbers.
+
+Examples:
+
+  To obtain help on usage:
+    ./autogen.sh --help
+
+  To obtain verbose output:
+    ./autogen.sh --verbose
+
+  To skip autoreconf and prepare manually:
+    AUTORECONF=false ./autogen.sh
+
+  To verbosely try running with an older (unsupported) autoconf:
+    AUTOCONF_VERSION=2.50 ./autogen.sh --verbose
+
+
+CONTACT
+=======
+
+Author:
+Christopher Sean Morrison <morrison@brlcad.org>
+
+Patches:
+Sebastian Pipping <sebastian@pipping.org>
+
+The autogen.sh script is distributed under the terms of a standard
+3-clause BSD-style license.  See the script for the exact language.
--- a/4
+++ b/4
@ -0,0 +1,4 @@
+#!/bin/sh
+git clean -dff
+git clean -Xff
+rm -rf autom4te.cache
--- a/contrib/generate_from_template
+++ b/contrib/generate_from_template
@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+if [ $# != 6 ]; then
+  echo "$0 file.in file.out TRIPWIRE_ROOT TRIPWIRE_ETC_DIR TRIPWIRE_DB_DIR TRIPWIRE_LOG_DIR" >&2
+  echo >&2
+  echo "      file.in cannot be the same as file.out" >&2
+  exit 1
+fi
+
+sed "s%TRIPWIRE_ROOT%$3%g;s%TRIPWIRE_ETC_DIR%$4;s%TRIPWIRE_DB_DIR%$5%g;s%TRIPWIRE_LOG_DIR%$6%g" "$1" > "$2"
+test -x "$1" && chmod +x "$2"
--- a/contrib/generic_install_scripts
+++ b/contrib/generic_install_scripts
@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# 1. install all tripwire_* scripts from contrib/
+# 2. installs policy and config text files 
+# 3. installs the plist but does not launch it
+#
+set -e
+
+## start config -- edits okay here 
+TRIPWIRE_ROOT="${TRIPWIRE_ROOT-/usr/local}"
+TRIPWIRE_ETC_DIR="${TRIPWIRE_ETC_DIR-/etc}"
+TRIPWIRE_DB_DIR="${TRIPWIRE_DB_DIR-/var/db/tripwire}"
+TRIPWIRE_LOG_DIR="${TRIPWIRE_LOG_DIR-/var/log/tripwire}"
+## end config -- dont edit past here
+
+mkdir -p "$TRIPWIRE_ROOT" "$TRIPWIRE_ETC_DIR" "$TRIPWIRE_DB_DIR" "$TRIPWIRE_LOG_DIR"
+
+THIS_SCRIPT_DIR="$(cd `dirname "$0"`; pwd)"
+GENERATE_FROM_TEMPLATE="${THIS_SCRIPT}/generate_from_template"
+
+for GENERIC_SCRIPT in tripwire_*; do
+  "$GENERATE_FROM_TEMPLATE" $GENERIC_SCRIPT "$TRIPWIRE_ROOT/sbin/$GENERIC_SCRIPT" "$TRIPWIRE_ROOT" "$TRIPWIRE_ETC_DIR" "$TRIPWIRE_DB_DIR" "$TRIPWIRE_LOG_DIR"
+done
--- a/contrib/make-bin-dist
+++ b/contrib/make-bin-dist
@ -1,21 +1,99 @@
-#!/bin/sh
+#!/usr/bin/env bash
 #
 # A very cheesy script to prep a release
 #
+set -e

 PRODUCT=tripwire
 VERSION=2.4.3.0
-ARCH=x86
-TYPE=bin
-ROOT_DIR=$PRODUCT-$VERSION-$ARCH-$TYPE
-EXCLUDES=.svn

-mkdir $ROOT_DIR
+platform() {
+  case `uname` in
+    Darwin) echo 'osx' ;;
+    Linux) echo 'linux' ;;
+    FreeBSD) echo 'freebsd' ;;
+    *) echo 'unknown' ;;
+  esac
+}
+
+
+arch() {
+  case "$1" in
+    osx|freebsd|linux)
+      if file bin/tripwire | grep -q '64-bit'; then
+        echo 'x86_64'
+      else
+        echo 'x86'
+      fi
+      ;;
+    *) echo 'unknown'
+  esac
+}
+
+PLATFORM=$(platform)
+ARCH=$(arch $PLATFORM)
+TYPE=bin
+ROOT_DIR=$PRODUCT-$VERSION-$PLATFORM-$ARCH-$TYPE
+EXCLUDES='.svn .git .gitignore'
+
+
+
+EXCLUDES="$(for EXCLUDE in $EXCLUDES; do echo --exclude $EXCLUDE; done)"
+
+SCRIPT_DIR="$(cd `dirname $0`; pwd)"
+SCRIPT_DIR_DOTDOT="$(dirname "$SCRIPT_DIR")"
+
+if ! test -x bin/tripwire* ; then
+  echo "tripwire not ready for release (bins not found in bin/ dir)" >&2
+  exit 1
+fi
+
+trap 'RESULT=$?; rm -rf "$SCRIPT_DIR_DOTDOT/releases/$ROOT_DIR"; exit $RESULT' INT QUIT EXIT TERM ERR
+
+mkdir -p "$SCRIPT_DIR_DOTDOT/releases"
+cd "$SCRIPT_DIR_DOTDOT/releases"
+mkdir "$ROOT_DIR"
 ln -s ../bin ../contrib ../man ../policy $ROOT_DIR/
-ln -s ../COPYING ../ChangeLog ../INSTALL ../MAINTAINERS $ROOT_DIR/
+ln -s ../COPYING ../ChangeLog ../Packaging ../ReadMe-2.4.3 ../MAINTAINERS $ROOT_DIR/
 ln -s ../TRADEMARK ../COMMERCIAL ../install ../install-sh $ROOT_DIR/

-tar jhcf $ROOT_DIR.tar.bz2 $ROOT_DIR --exclude $EXCLUDES
+EXTENSIONS=(tar.bz2 tar.gz tar.xz)
+TAR_OPTIONS=(j z J)

-sha1sum $ROOT_DIR.tar.bz2 > $ROOT_DIR.sha1
-sha1sum bin/* >> $ROOT_DIR.sha1
+sha1() {
+  sha1sum "$@" || shasum "$@"
+}
+
+sha512() {
+  sha512sum "$@" || shasum -a 512 "$@"
+}
+
+sign() {
+  if which gpg >/dev/null 2>&1; then
+    gpg --detach-sign --output "$1.asc" "$1"
+  else
+    echo "gpg unavailable, release is unsigned !!" >&2
+    exit 1
+  fi
+}
+
+for INDEX in 1 2 3; do
+  EXTENSION="${EXTENSIONS[$INDEX]}"
+  TAR_OPTIONS="${TAR_OPTIONS[$INDEX]}"
+  TARBALL="$ROOT_DIR.${EXTENSION}"
+
+  tar $EXCLUDES -${TAR_OPTIONS}hcf $TARBALL $ROOT_DIR
+
+  sha1 $TARBALL > $ROOT_DIR.sha1
+  sha1 bin/* >> $ROOT_DIR.sha1
+
+  sha512 $TARBALL > $ROOT_DIR.sha512
+  sha512 bin/* >> $ROOT_DIR.sha512
+
+  # sign the tarball
+  sign $TARBALL
+
+  # sign the hashes
+  sign $ROOT_DIR.sha1
+  sign $ROOT_DIR.sha512
+done
--- a/contrib/osx/README.md
+++ b/contrib/osx/README.md
@ -0,0 +1,41 @@
+# OSX readme
+
+## What this does
+
+- Runs tripwire whenever connected to power
+- Automatically grooms logs (not reports, its a todo)
+
+
+## Installation
+
+1. Edit `./homebrew_install_scripts_and_config` to taste
+2. Run `./homebrew_install_scripts_and_config` as root
+3. Modify `TRIPWIRE_ETC_DIR/twcfg.txt` and `TRIPWIRE_ETC_DIR/twpol.txt` to taste
+4. Make up two brand-new, 24+ character passwords (they MUST not be the same), and store them securely before continuing:
+
+  - site passphrase
+  - local passphrase
+
+5. Run the following commands as root:
+
+    ```
+    TRIPWIRE_ROOT/sbin/tripwire_set_site_and_local_passphrases
+    TRIPWIRE_ROOT/sbin/tripwire_update_config_file # twcfg.txt -> tw.cfg
+    TRIPWIRE_ROOT/sbin/tripwire_update_policy_file # twpol.txt -> tw.pol
+    TRIPWIRE_ROOT/sbin/tripwire --init             # this creates a new encrypted database
+    ```
+
+6. Enable periodic jobs (run as root): 
+
+    ```
+    launchctl load -w /Library/LaunchDaemons/org.tripwire.Tripwire.plist
+    ```
+
+
+## Uninstallation (run with sudo or su)
+
+    launchctl unload -w /Library/LaunchDaemons/org.tripwire.Tripwire.plist
+    rm -f /Library/LaunchDaemons/org.tripwire.Tripwire.plist
+    TRIPWIRE_ROOT/sbin/tripwire_uninstall
+    # or remove everything: TRIPWIRE_ROOT/sbin/tripwire_uninstall -A 
+
--- a/contrib/osx/homebrew_install_scripts_and_config
+++ b/contrib/osx/homebrew_install_scripts_and_config
@ -0,0 +1,35 @@
+#!/bin/sh
+#
+# 1. install all tripwire_* scripts from contrib/ and contrib/osx/ 
+# 2. installs policy and config text files 
+# 3. installs the plist but does not launch it
+#
+set -e
+
+## start config -- edits okay here 
+TRIPWIRE_ROOT="${TRIPWIRE_ROOT-/usr/local/tripwire}"
+TRIPWIRE_ETC_DIR="${TRIPWIRE_ETC_DIR-$TRIPWIRE_ROOT/etc}"
+TRIPWIRE_DB_DIR="${TRIPWIRE_DB_DIR-$TRIPWIRE_ROOT/lib/tripwire}"
+TRIPWIRE_LOG_DIR="${TRIPWIRE_LOG_DIR-/usr/local/var/log}"
+## end config -- dont edit past here
+export TRIPWIRE_ROOT
+export TRIPWIRE_ETC_DIR
+export TRIPWIRE_DB_DIR
+export TRIPWIRE_LOG_DIR
+
+THIS_SCRIPT_DIR="$(cd `dirname "$0"`; pwd)"
+THIS_SCRIPT_DIR_DOTDOT="$(dirname "$THIS_SCRIPT_DIR")"
+GENERATE_FROM_TEMPLATE="${THIS_SCRIPT_DIR_DOTDOT}/generate_from_template"
+
+"$THIS_SCRIPT_DIR_DOTDOT/generic_install_scripts"
+
+for OSX_SCRIPT in tripwire_*; do
+  "$GENERATE_FROM_TEMPLATE" $OSX_SCRIPT "$TRIPWIRE_ROOT/sbin/$OSX_SCRIPT" "$TRIPWIRE_ROOT" "$TRIPWIRE_ETC_DIR" "$TRIPWIRE_DB_DIR" "$TRIPWIRE_LOG_DIR"
+done
+
+for ETC_FILE_SAMPLE in tw*.txt.sample; do
+  ETC_FILE="$(echo $ETC_FILE | sed 's/\.sample//')"
+  "$GENERATE_FROM_TEMPLATE" $ETC_FILE_SAMPLE "$TRIPWIRE_ETC_DIR/$ETC_FILE" "$TRIPWIRE_ROOT" "$TRIPWIRE_ETC_DIR" "$TRIPWIRE_DB_DIR" "$TRIPWIRE_LOG_DIR"
+done
+
+"$GENERATE_FROM_TEMPLATE" org.tripwire.Tripwire.plist /Library/LaunchDaemons/org.tripwire.Tripwire.plist "$TRIPWIRE_ROOT" "$TRIPWIRE_ETC_DIR" "$TRIPWIRE_DB_DIR" "$TRIPWIRE_LOG_DIR"
--- a/contrib/osx/org.tripwire.Tripwire.plist
+++ b/contrib/osx/org.tripwire.Tripwire.plist
@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>org.tripwire.Tripwire</string>
+  <key>Nice</key>
+  <integer>5</integer>
+  <key>ProgramArguments</key>
+  <array>
+    <string>TRIPWIRE_ROOT/sbin/tripwire_periodic_check</string>
+  </array>
+  <key>Disabled</key>
+  <true/>
+  <key>RunAtLoad</key>
+  <false/>
+  <key>StartInterval</key>
+  <integer>3600</integer>
+</dict>
+</plist>
--- a/contrib/osx/twcfg.txt.sample
+++ b/contrib/osx/twcfg.txt.sample
@ -0,0 +1,15 @@
+ROOT          =TRIPWIRE_ROOT/sbin
+POLFILE       =TRIPWIRE_ETC_DIR/tw.pol
+DBFILE        =TRIPWIRE_DB_DIR/$(HOSTNAME).twd
+REPORTFILE    =TRIPWIRE_DB_DIR/report/$(HOSTNAME)-$(DATE).twr
+SITEKEYFILE   =TRIPWIRE_ETC_DIR/site.key
+LOCALKEYFILE  =TRIPWIRE_ETC_DIR/$(HOSTNAME)-local.key
+EDITOR        =/usr/bin/vi
+LATEPROMPTING =false
+LOOSEDIRECTORYCHECKING =false
+MAILNOVIOLATIONS =true
+EMAILREPORTLEVEL =3
+REPORTLEVEL   =3
+MAILMETHOD    =SENDMAIL
+SYSLOGREPORTING =false
+MAILPROGRAM   =/usr/sbin/sendmail -oi -t
--- a/contrib/osx/twpol.txt.sample
+++ b/contrib/osx/twpol.txt.sample
@ -0,0 +1,366 @@
+  ##############################################################################
+ #                                                                            ##
+############################################################################## #
+#                                                                            # #
+#                    Policy file for Mac OS X                                # #
+#                        December 31, 2013                                   # #
+#                                                                            ##
+##############################################################################
+
+  ##############################################################################
+ #                                                                            ##
+############################################################################## #
+#                                                                            # #
+# Global Variable Definitions                                                # #
+#                                                                            # #
+# These are defined at install time by the installation script.  You may     # #
+# manually edit these if you are using this file directly and not from the   # #
+# installation script itself.                                                # #
+#                                                                            ##
+##############################################################################
+
+@@section GLOBAL
+
+TW_ROOT="TRIPWIRE_ROOT"
+TW_DB_DIR="TRIPWIRE_DB_DIR"
+TW_ETC_DIR="TRIPWIRE_ETC_DIR"
+
+TWDOCS="$(TW_ROOT)/doc/tripwire";
+TWBIN="$(TW_ROOT)/sbin";
+TWPOL="$(TW_ETC_DIR)";
+TWDB="$(TW_DB_DIR)";
+TWSKEY="$(TW_ETC_DIR)";
+TWLKEY="$(TW_ETC_DIR)";
+TWREPORT="$(TW_DB_DIR)/report";
+#USER1=frodo ;
+
+
+  ##############################################################################
+ #  Predefined Variables                                                      #
+##############################################################################
+#
+#  Property Masks
+#
+#  -  ignore the following properties
+#  +  check the following properties
+#
+#  a  access timestamp (mutually exclusive with +CMSH)
+#  b  number of blocks allocated
+#  c  inode creation/modification timestamp
+#  d  ID of device on which inode resides
+#  g  group id of owner
+#  i  inode number
+#  l  growing files (logfiles for example)
+#  m  modification timestamp
+#  n  number of links
+#  p  permission and file mode bits
+#  r  ID of device pointed to by inode (valid only for device objects)
+#  s  file size
+#  t  file type
+#  u  user id of owner
+#
+#  C  CRC-32 hash
+#  H  HAVAL hash
+#  M  MD5 hash
+#  S  SHA hash
+#
+##############################################################################
+
+SEC_DEVICE        = +pugsr-dintlbamcCMSH ;
+SEC_DYNAMIC       = +pinugt-dsrlbamcCMSH ;
+SEC_READONLY      = +pinugtsbmCM-drlacSH ;
+SEC_GROWING       = +pinugtl-dsrbamcCMSH ;
+
+IgnoreAll     = -pinugtsdrlbamcCMSH ;
+IgnoreNone    = +pinugtsdrbamcCMSH-l ;
+Temporary     = +pugt ;
+
+@@section FS 
+
+  ########################################
+ #                                      ##
+######################################## #
+#                                      # #
+#  Tripwire Binaries and Data Files    # #
+#                                      ##
+########################################
+
+# Tripwire Binaries
+(
+  rulename = "Tripwire Binaries", severity=100
+)
+{
+  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
+  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
+  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
+  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
+}
+
+# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
+(
+  rulename = "Tripwire Data Files", severity=100
+)
+{
+  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
+  # it does so by renaming the old file and creating a new one (which will
+  # have a new inode number).  Inode is left turned on for keys, which shouldn't
+  # ever change.
+
+  # NOTE: The first integrity check triggers this rule and each integrity check
+  # afterward triggers this rule until a database update is run, since the
+  # database file does not exist before that point.
+
+  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
+  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
+  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
+  # $(TWLKEY)/local.key                  -> $(SEC_READONLY) ;
+  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
+
+  # don't scan the individual reports
+  $(TWREPORT)                          -> $(SEC_DYNAMIC)(recurse=0) ;
+
+
+}
+
+  ################################################
+ #                                              ##
+################################################ #
+#                                              # #
+#  OS Boot and Configuration Files             # #
+#                                              ##
+################################################
+(
+  rulename = "OS Boot and Configuration Files", severity=100
+)
+{
+ #/mach.sym                               -> $(SEC_READONLY)-im ;
+  /mach_kernel                            -> $(SEC_READONLY) ;
+  /private/etc                            -> $(SEC_READONLY)-m ;
+
+ #/private/etc/appletalk.cfg              -> $(SEC_READONLY)-im ;
+ #/private/etc/appletalk.nvram.en0        -> $(SEC_DYNAMIC) ;
+  /private/etc/cups/certs                 -> $(SEC_DYNAMIC) -i(recurse=0) ;
+ #/private/etc/smb.conf                   -> $(SEC_READONLY)-im ;
+
+  /Library                                -> $(SEC_READONLY) ;
+  /System                                 -> $(SEC_READONLY) ;
+
+  /Library/Printers                       -> $(SEC_READONLY)(recurse=2) ;
+  /Library/Documentation                  -> $(SEC_READONLY)(recurse=2) ;
+  /Library/Filesystems                    -> $(SEC_DYNAMIC)-i ;
+  /Library/"Application Support"          -> $(SEC_DYNAMIC)-im(recurse=2) ;
+
+  /System/Library/Filesystems             -> $(SEC_DYNAMIC)-i ;
+  /System/Library/CoreServices            -> $(SEC_READONLY)-im ;
+  /System/Library/Filesystems/hfs.fs      -> $(SEC_DYNAMIC)(recurse=0) ;
+
+}
+
+  ###################################################
+ #                                                 ##
+################################################### #
+#                                                 # #
+#  Mount Points                                   # #
+#                                                 ##
+###################################################
+(
+  rulename = "Mount Points", severity=60
+)
+{
+  /                             -> $(SEC_READONLY)(recurse=0) ;
+  /Volumes                      -> $(SEC_READONLY)-M (recurse=0) ;
+  /usr                          -> $(SEC_READONLY)(recurse=0) ;
+
+}
+
+
+  ################################################
+ #                                              ##
+################################################ #
+#                                              # #
+#  System Devices                              # #
+#                                              ##
+################################################
+(
+  rulename = "System Devices", severity=60
+)
+{
+  /dev                          -> $(SEC_DEVICE)(recurse=0) ;
+}
+
+  ################################################
+ #                                              ##
+################################################ #
+#                                              # #
+#  OS Binaries and Libraries                   # #
+#                                              ##
+################################################
+(
+  rulename = "OS Binaries and Libraries", severity=100
+)
+{
+  /bin                          -> $(SEC_READONLY) ;
+  /sbin                         -> $(SEC_READONLY) ;
+  /usr/bin                      -> $(SEC_READONLY) ;
+  /usr/lib                      -> $(SEC_READONLY) ;
+  /usr/libexec                  -> $(SEC_READONLY) ;
+  /usr/sbin                     -> $(SEC_READONLY) ;
+  /usr/X11                      -> $(SEC_READONLY)(recurse=2) ;   # May not be present
+ #/usr/X11/man                  -> $(SEC_DYNAMIC)-i(recurse=1) ;  # May not be present
+  /usr/share                    -> $(SEC_READONLY) ;
+  /usr/share/man                -> $(SEC_DYNAMIC)-i(recurse=1) ;
+
+}
+
+
+  ################################################
+ #                                              ##
+################################################ #
+#                                              # #
+#  OS X Applications                           # #
+#                                              ##
+################################################
+(
+  rulename = "OS Binaries and Libraries", severity=100
+)
+{
+   /Applications                -> $(SEC_READONLY)-im(recurse=2) ;
+}
+
+  ################################################
+ #                                              ##
+################################################ #
+#                                              # #
+#  Usr Local Files                             # #
+#                                              ##
+################################################
+(
+   rulename = "Usr Local Files", severity=60
+)
+{
+  /usr/local                    -> $(SEC_READONLY) ;
+  /usr/local/sbin               -> $(SEC_READONLY) ;
+  /usr/local/bin                -> $(SEC_READONLY) ;
+  /usr/local/include            -> $(SEC_READONLY) ;
+  /usr/local/opt                -> $(SEC_READONLY) ;
+  /usr/local/libexec            -> $(SEC_READONLY) ;
+  /usr/local/lib                -> $(SEC_READONLY) ;
+  /usr/local/etc                -> $(SEC_READONLY) ;
+  /usr/local/share              -> $(SEC_READONLY) ;
+  /usr/local/man                -> $(SEC_READONLY) ;
+  /usr/local/Frameworks         -> $(SEC_READONLY) ;
+  # Homebrew
+  /usr/local/.git               -> $(SEC_READONLY) ;
+  /usr/local/Cellar             -> $(SEC_READONLY) ;
+}
+
+
+  ################################################
+ #                                              ##
+################################################ #
+#                                              # #
+#  Temporary Files and Directories             # #
+#                                              ##
+################################################
+(
+  rulename = "Variable System Files", severity=60
+)
+{
+  /private/tmp                                 -> $(SEC_DYNAMIC)-in(recurse=0) ;
+
+  /private/tftpboot                            -> $(SEC_READONLY)-i ;
+
+  /private/var                                 -> $(SEC_READONLY)-i ;
+  /private/var/backups                         -> $(SEC_READONLY)-imc(severity=100) ;
+ #/private/var/backups/local.nidump            -> $(SEC_DYNAMIC) -i(severity=100) ;
+ #/private/var/cron                            -> $(SEC_DYNAMIC) -i ;
+  /private/var/db                              -> $(SEC_READONLY)-im ;
+  /private/var/db/BootCache.playlist           -> $(SEC_DYNAMIC) -i ;
+ #/private/var/db/netinfo/local.nidb/Store.384 -> $(SEC_READONLY)-imc(severity=100) ;
+ #/private/var/db/netinfo/local.nidb/Store.672 -> $(SEC_READONLY)-imc(severity=100) ;
+ #/private/var/db/prebindOnDemandBadFiles      -> $(SEC_DYNAMIC) -i ;
+  /private/var/log                             -> $(SEC_DYNAMIC) -i ;
+ #/private/var/mail                            -> $(SEC_DYNAMIC) ;
+  /private/var/msgs/bounds                     -> $(SEC_READONLY)-smbCM ;
+  /private/var/root/Library/Caches             -> $(SEC_DYNAMIC) -i ;
+  /private/var/run                             -> $(SEC_DYNAMIC) -i(rulename="Running Services") ;
+ #/private/var/slp.regfile                     -> $(SEC_READONLY)-im ;
+ #/private/var/spool/clientmqueue              -> $(SEC_DYNAMIC)(recurse=0) ;
+  /private/var/spool/mqueue                    -> $(SEC_DYNAMIC)(recurse=0) ;
+ #/private/var/spool/lock                      -> $(SEC_DYNAMIC) -i(recurse=1) ;
+  /private/var/spool/cups                      -> $(SEC_DYNAMIC) -i(recurse=0) ;
+  /private/var/tmp                             -> $(SEC_DYNAMIC) -i(recurse=0) ;
+  /private/var/vm                              -> $(SEC_DYNAMIC)(recurse=0) ;
+
+  /Library/Caches                       -> $(SEC_DYNAMIC) -i ;
+  /Library/Logs                         -> $(SEC_DYNAMIC) -i(recurse=1) ;
+  /Library/Preferences                  -> $(SEC_DYNAMIC) -i(recurse=1) ;
+ "/Library/Internet Plug-Ins"           -> $(SEC_DYNAMIC) -i ;
+
+ !/private/var/db/dhcpclient ;
+ !/private/var/db/dhcpd_leases ;
+ !/private/var/db/locate.database ;
+ !/private/var/db/SystemEntropyCache ;
+ !/private/var/db/mds/messages/se_SecurityMessages ;
+ !/private/var/db/samba/secrets.tdb ;
+ !/private/var/db/ntp.drift ;
+ !/private/var/folders ;
+ !/private/var/vm/sleepimage ;
+ !/private/var/vm/swap0 ;
+ !/private/var/vm/swap[1-9][0-9]* ;
+ # Sophos
+ !/Library/Caches/com.sophos.sau ;
+ !/Library/Caches/com.sophos.sxld ;
+}
+
+
+  ###################################################
+ #                                                 ##
+################################################### #
+#                                                 # #
+#  User Home Directories                          # #
+#                                                 ##
+###################################################
+(
+  rulename = "Home Directories", severity=60
+)
+{
+  /Users                                      -> $(SEC_READONLY)(recurse=0) ;  # Modify as needed
+
+
+#####
+#
+# USER1 as defined at top of policy
+#
+#####
+
+#  /Users/$(USER1)                                -> $(SEC_READONLY)-mc ;
+#  /Users/$(USER1)/Library/Preferences            -> $(SEC_DYNAMIC)-i ;
+# "/Users/$(USER1)/Library/Recent Servers"        -> $(SEC_DYNAMIC)-i ;
+# "/Users/$(USER1)/Library/Safari"                -> $(SEC_DYNAMIC)-i(recurse=3) ;
+# "/Users/$(USER1)/Library/Spelling"              -> $(SEC_DYNAMIC)-i ;
+# "/Users/$(USER1)/Library/Mail"                  -> $(SEC_DYNAMIC)-i(recurse=2) ;
+# "/Users/$(USER1)/Pictures/iPhoto Library"       -> $(SEC_DYNAMIC)-i(recurse=1) ;
+# "/Users/$(USER1)/Library/Application Support"   -> $(SEC_DYNAMIC)-im(recurse=2) ;
+#  /Users/$(USER1)/Documents                      -> $(SEC_DYNAMIC)(recurse=0) ;
+#  /Users/$(USER1)/Desktop                        -> $(SEC_DYNAMIC)(recurse=0) ;
+
+
+#!"/Users/$(USER1)/Documents/Virtual PC List" ;    # These items are *huge*, and are of little value to scan.
+#!"/Users/$(USER1)/Library/Preferences/Microsoft/Clipboard" ;
+#!"/Users/$(USER1)/Library/Safari/Icons" ;
+#!"/Users/$(USER1)/Music/iTunes" ;
+#!"/Users/$(USER1)/Library/Caches" ;
+#!"/Users/$(USER1)/Library/Cookies" ;
+#!"/Users/$(USER1)/Library/Logs" ;
+#!"/Users/$(USER1)/Library/Folding@home" ;
+#!"/Users/$(USER1)/setiathome" ;
+#!"/Users/$(USER1)/Documents/seti-A" ;
+#!"/Users/$(USER1)/Documents/seti-B" ;
+#!"/Users/$(USER1)/.tcsh_history" ;
+#!"/Users/$(USER1)/.DS_Store" ;
+#!"/Users/$(USER1)/Public/.DS_Store" ;
+#!"/Users/$(USER1)/.jpi_cache" ;
+#!"/Users/$(USER1)/.lpoptions" ;
+#!"/Users/$(USER1)/.Trash" ;
+}
--- a/contrib/tripwire_accept_new_baseline
+++ b/contrib/tripwire_accept_new_baseline
@ -0,0 +1,6 @@
+#!/bin/sh
+TIMESTAMP=$(/bin/date +%Y-%m-%dT%H:%M:%S%z)
+REPORT="$(find TRIPWIRE_ROOT/lib/tripwire/report -type f | tail -1)"
+read -p "Accept $REPORT ? [accept] " PROMPT
+test "$PROMPT" != 'accept' && exit 1
+time TRIPWIRE_ROOT/sbin/tripwire -m u -a -r "$REPORT" 2>&1 | tee TRIPWIRE_LOG_DIR/tripwire_database-updated-baseline_$TIMESTAMP.log
--- a/contrib/tripwire_check
+++ b/contrib/tripwire_check
@ -0,0 +1,23 @@
+#!/bin/sh
+#
+#  Tripwire cron script borrowed from Linux and modified for generic situations.
+#  You should of course change path names to suit your environment.
+#
+#  Contributed by Timothy K Ewing <Timothy.Ewing@celera.com>
+#
+HOST_NAME=`uname -n`
+TWCFG_PATH=TRIPWIRE_ETC_DIR
+TWDB_PATH=TRIPWIRE_DB_DIR
+TWROOT_PATH=TRIPWIRE_ROOT
+MAILTO="root"		# Email addresses that should recieve reports
+
+#
+#  Define checks which alert user to misconfiguration or run the check
+#
+if [ ! -e ${TWDB_PATH}/${HOST_NAME}.twd ]; then
+   echo "****   Error: Tripwire database for ${HOST_NAME} not found.  ****"
+   echo "****  Verify tripwire was installed and/or "tripwire --init".  ****"
+else
+   test -f ${TWCFG_PATH}/tw.cfg && ${TWROOT_PATH}/tripwire --check | \
+	mail -s "${HOST_NAME} tripwire-check" ${MAILTO}
+fi
--- a/contrib/tripwire_log_rotate
+++ b/contrib/tripwire_log_rotate
@ -0,0 +1,50 @@
+#!/bin/sh -e
+
+RM='rm -f'
+#RM='echo rm -f'
+
+LOG_START="$1"
+LOG_EXT="$2"
+
+NOW="$(/bin/date +%Y%m%d)"
+NOW_YEAR="$(echo $NOW | cut -c-4)"
+NOW_MONTH="$(echo $NOW | cut -c5-6)"
+NOW_DAY="$(echo $NOW | cut -c7-8)"
+
+LOG_START_LEN="$(echo $LOG_START | wc -c | awk '{print$1}')"
+
+YEARS="$(ls $LOG_START*$LOG_EXT | cut -c$LOG_START_LEN-$[LOG_START_LEN+3] | sort -u)"
+
+for YEAR in $YEARS; do
+  if [ "$YEAR" = "$NOW_YEAR" ]; then
+    # only keep one per day 
+    for MONTH in `seq -f "%02g" 12`; do
+      for DAY in `seq -f "%02g" 31`; do
+        if [ "$NOW_MONTH" = "$MONTH" ] && [ "$NOW_DAY" = "$DAY" ]; then
+          # if now is today, dont prune anything
+          :; 
+        else
+          # save only the first report per day 
+          FILES="$(ls -rt ${LOG_START}${YEAR}-${MONTH}-${DAY}T*${LOG_EXT} 2>/dev/null | tail -n +2)"
+          #FILES="$(ls -rt ${LOG_START}${YEAR}-${MONTH}-${DAY}T*${LOG_EXT} | tail -n +2)"
+          if [ -n "$FILES" ]; then
+            set -x
+            $RM $FILES
+            set +x
+          fi 
+        fi
+      done # DAY
+    done # MONTH
+  else # not current year
+    # only keep one per month
+    for MONTH in `seq -f "%02g" 12`; do
+      FILES="$(ls -rt ${LOG_START}${YEAR}-${MONTH}-*${LOG_EXT} 2>/dev/null | tail -n +2)"
+      #FILES="$(ls -rt ${LOG_START}${YEAR}-${MONTH}-*${LOG_EXT} | tail -n +2)"
+      if [ -n "$FILES" ]; then
+        set -x
+        $RM $FILES
+        set +x
+      fi 
+    done # MONTH
+  fi
+done # YEAR
--- a/contrib/tripwire_periodic_check
+++ b/contrib/tripwire_periodic_check
@ -0,0 +1,18 @@
+#!/bin/sh
+
+on_battery_power() {
+  case `uname` in
+  Darwin)  pmset -g batt | grep -q discharging
+    *) false
+  esac
+}
+
+if on_battery_power; then
+  echo "Skipping tripwire check due to computer being on battery power" >&2
+  exit 1
+fi
+TIMESTAMP=$(/bin/date +%Y-%m-%dT%H:%M:%S%z)
+time TRIPWIRE_ROOT/sbin/tripwire -m c 2>&1 | tee TRIPWIRE_LOG_DIR/tripwire_periodic_$TIMESTAMP.log
+TRIPWIRE_ROOT/sbin/tripwire_log_rotate "TRIPWIRE_LOG_DIR/tripwire_periodic_" ".log"
+
+## Todo: Automatically groom reports in `TRIPWIRE_DB_DIR/report/*.twr`
--- a/contrib/tripwire_set_site_and_local_passphrases
+++ b/contrib/tripwire_set_site_and_local_passphrases
@ -0,0 +1,3 @@
+#!/bin/sh
+# creates TRIPWIRE_ROOT/etc/site.key and TRIPWIRE_ROOT/etc/(hostname)-local.key
+TRIPWIRE_ROOT/sbin/twadmin --generate-keys --local-keyfile TRIPWIRE_ROOT/etc/$(hostname -f)-local.key --site-keyfile TRIPWIRE_ROOT/etc/site.key
--- a/contrib/tripwire_uninstall
+++ b/contrib/tripwire_uninstall
@ -0,0 +1,152 @@
+#!/bin/sh
+set -e
+
+unset NO_CONFIRM
+unset NO_REMOVE
+unset REMOVE_REPORTS
+unset REMOVE_LOGS
+unset REMOVE_DB
+unset REMOVE_KEYS
+unset RM
+
+UNAME=`uname`
+
+help() {
+  cat >&2 << 'HELP'
+
+    tripwire_uninstall [-y] [-N] [ [-R] [-L] [-D] [-K] | [-A] ]
+
+          -y no confirmation (unattended operation)
+          -N dont remove binaries, docs and man pages
+          -A remove everything (logs, reports, db and keys)
+          -R remove reports
+          -L remove logs
+          -D remove db
+          -K remove keys
+
+          -N with -Y is valid
+
+  
+HELP
+}
+
+while [ "$#" != 0 ]; do
+  case "$1" in
+  -y) NO_CONFIRM=1 ;;
+  -N) NO_REMOVE=1 ;;
+  -L) REMOVE_LOGS=1 ;;
+  -D) REMOVE_DB=1 ;;
+  -K) REMOVE_KEYS=1 ;;
+  -A) REMOVE_LOGS=1
+      REMOVE_KEYS=1
+      REMOVE_DB=1
+      ;;
+  *) help ; exit 1
+  esac
+  shift
+done
+
+secure_rm() {
+case $UNAME in
+  Darwin)
+    /usr/bin/srm -vf -- "$@"
+    ;;
+  Linux)
+    /usr/bin/shred -vfu -- "$@"
+    ;;
+  FreeBSD|*)
+    # 3x wipe
+    for FILE in "$@"; do
+      /bin/dd if=/dev/random of="$FILE" bs=1 count=$(/usr/bin/wc -c < "$FILE" | /usr/bin/sed "s/[^0-9]//g")
+      /bin/dd if=/dev/random of="$FILE" bs=1 count=$(/usr/bin/wc -c < "$FILE" | /usr/bin/sed "s/[^0-9]//g")
+      /bin/dd if=/dev/random of="$FILE" bs=1 count=$(/usr/bin/wc -c < "$FILE" | /usr/bin/sed "s/[^0-9]//g")
+    done
+    rm -vf "$@"
+    ;;
+esac
+}
+
+secure_rm_rf() {
+case $UNAME in
+  Darwin)
+    /usr/bin/srm -vrf -- "$@"
+    ;;
+  Linux)
+    /usr/bin/find "$@" -type f -exec /usr/bin/shred -vfu -- {} \;
+    rm -vrf "$@"
+    ;;
+  FreeBSD|*)
+    # 3x wipe
+    /usr/bin/find "$@" -type f | xargs -I% sh -c '/bin/dd if=/dev/random of="%" bs=1 count=$(/usr/bin/wc -c < "%" | /usr/bin/sed "s/[^0-9]//g")'
+    /usr/bin/find "$@" -type f | xargs -I% sh -c '/bin/dd if=/dev/random of="%" bs=1 count=$(/usr/bin/wc -c < "%" | /usr/bin/sed "s/[^0-9]//g")'
+    /usr/bin/find "$@" -type f | xargs -I% sh -c '/bin/dd if=/dev/random of="%" bs=1 count=$(/usr/bin/wc -c < "%" | /usr/bin/sed "s/[^0-9]//g")'
+    rm -vrf "$@"
+    ;;
+esac
+}
+
+
+if [ -n "$NO_CONFIRM" ]; then
+  :; # noop
+else
+  printf "Uninstall tripwire ? [Yn] "
+
+  unset PROMPT
+  read PROMPT
+
+  if [ "$PROMPT" = 'y' ] || [ "$PROMPT" = 'Y' ]; then
+    :; # noop
+  else
+    echo "user cancelled" >&2
+    exit 1
+  fi
+fi
+
+if [ -z "$NO_REMOVE" ]; then
+  echo "removing tripwire binaries, scripts, docs and man pages" >&2
+
+  # binaries
+  secure_rm "TRIPWIRE_ROOT/sbin/siggen"
+  secure_rm "TRIPWIRE_ROOT/sbin/tripwire"
+  secure_rm "TRIPWIRE_ROOT/sbin/twadmin"
+  secure_rm "TRIPWIRE_ROOT/sbin/twprint"
+
+  # scripts
+  secure_rm "TRIPWIRE_ROOT/sbin/tripwire_"*
+
+  # docs
+  secure_rm_rf "TRIPWIRE_ROOT/doc/tripwire"
+
+  # man pages
+  secure_rm "TRIPWIRE_ROOT/share/man/man4/twconfig.4"
+  secure_rm "TRIPWIRE_ROOT/share/man/man4/twpolicy.4"
+  secure_rm "TRIPWIRE_ROOT/share/man/man5/twfiles.5"
+  secure_rm "TRIPWIRE_ROOT/share/man/man8/siggen.8"
+  secure_rm "TRIPWIRE_ROOT/share/man/man8/tripwire.8"
+  secure_rm "TRIPWIRE_ROOT/share/man/man8/twadmin.8"
+  secure_rm "TRIPWIRE_ROOT/share/man/man8/twintro.8"
+  secure_rm "TRIPWIRE_ROOT/share/man/man8/twprint.8"
+fi
+
+
+if [ -n "$REMOVE_REPORTS" ]; then
+  echo "removing tripwire reports" >&2
+  secure_rm "TRIPWIRE_ROOT/lib/tripwire/report"/*.twr
+fi
+
+if [ -n "$REMOVE_LOGS" ]; then
+  echo "removing tripwire logs" >&2
+  secure_rm "TRIPWIRE_LOG_DIR/tripwire_periodic_"*.log
+fi
+
+if [ -n "$REMOVE_DB" ]; then
+  echo "removing tripwire db" >&2
+  secure_rm "TRIPWIRE_ROOT/lib/tripwire"/*.twd*
+fi
+
+if [ -n "$REMOVE_KEYS" ]; then
+  echo "removing tripwire keys" >&2
+  secure_rm "TRIPWIRE_ROOT/etc"/*.key
+fi
+
+echo "finished removing tripwire" >&2
--- a/contrib/tripwire_update_config_file
+++ b/contrib/tripwire_update_config_file
@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Overwrites TRIPWIRE_ROOT/etc/tw.cfg
+# TRIPWIRE_ROOT/etc/twcfg.txt -> TRIPWIRE_ROOT/etc/tw.cfg
+#
+set -e
+
+if [ ! -e "TRIPWIRE_ROOT/etc/site.key" ]; then
+  echo "Missing TRIPWIRE_ROOT/etc/site.key" >&2
+  echo >&2
+  echo "Run TRIPWIRE_ROOT/sbin/tripwire_set_site_and_local_passphrases first" >&2
+  exit 1
+fi
+
+if [ ! -e "TRIPWIRE_ROOT/etc/twcfg.txt" ]; then
+  echo "Missing TRIPWIRE_ROOT/etc/twcfg.txt" >&2
+  echo >&2
+  echo "Create and customize it for your environment and try again" >&2
+  exit 1
+fi
+
+TRIPWIRE_ROOT/sbin/twadmin --create-cfgfile -S TRIPWIRE_ROOT/etc/site.key TRIPWIRE_ROOT/etc/twcfg.txt
--- a/contrib/tripwire_update_policy_file
+++ b/contrib/tripwire_update_policy_file
@ -0,0 +1,29 @@
+#!/bin/sh
+#
+# Overwrites TRIPWIRE_ROOT/etc/tw.pol
+# TRIPWIRE_ROOT/etc/twpol.txt -> TRIPWIRE_ROOT/etc/tw.pol
+#
+set -e
+
+if [ ! -e "TRIPWIRE_ROOT/etc/site.key" ]; then
+  echo "Missing TRIPWIRE_ROOT/etc/site.key" >&2
+  echo >&2
+  echo "Run TRIPWIRE_ROOT/sbin/tripwire_set_site_and_local_passphrases first" >&2
+  exit 1
+fi
+
+if [ ! -e "TRIPWIRE_ROOT/etc/tw.cfg" ]; then
+  echo "Missing TRIPWIRE_ROOT/etc/tw.cfg" >&2
+  echo >&2
+  echo "Run TRIPWIRE_ROOT/sbin/tripwire_update_config_file first" >&
+  exit 1
+fi
+
+if [ ! -e "TRIPWIRE_ROOT/etc/twpol.txt" ]; then
+  echo "Missing TRIPWIRE_ROOT/etc/twpol.txt" >&2
+  echo >&2
+  echo "Create and customize it for your environment and try again" >&2
+  exit 1
+fi
+
+TRIPWIRE_ROOT/sbin/twadmin --create-polfile -S TRIPWIRE_ROOT/etc/site.key TRIPWIRE_ROOT/etc/twpol.txt