diff --git a/ChangeLog b/ChangeLog index 0bd4983..f53bcc9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,12 +7,18 @@ * Fix handling of SHA hashes (with and without OpenSSL hash impl.) * Update GNU config.guess & config.sub to current versions * Compilation fixes for various and sundry Posix-esque platforms - (Mac OS X, OpenBSD, OpenSolaris, Cygwin, Minix 3.x, GNU/Hurd, MidnightBSD, Haiku, Syllable, SkyOS) + (Mac OS X, OpenBSD, OpenSolaris, Cygwin, Minix 3.x, GNU/Hurd, MidnightBSD, Haiku, Syllable, SkyOS, Sortix) * Added script to bump buildys file timestaps, to fix spurious aclocal/automake errors on a fresh clone/untar/etc. * Update 'make dist' to bundle manpages & policy files * Replace broken RPM spec w/ 'Packaging' doc that explains where to get packaging stuff. + * Add contributed files from 2.4.2.3 fork (see below) +2014-01-01 Barry Allard + + * Bumping version to 2.4.2.3 + * Fixed compilation on clang and gcc compilers + 2011-11-21 Stephane Dudzinski * Bumping version to 2.4.2.2 diff --git a/MAINTAINERS b/MAINTAINERS index 7c5b29c..5ce3786 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -10,6 +10,8 @@ itripn@users.sourceforge.net Community Contributors: +Thom O'Connor (https://github.com/thomoco): Contributed LLVM/clang build fixes. + Paul Herman (www.frenchfries.net/paul/tripwire): Paul is almost solely responsible for the meat of the 2.4.0.1 release. His work on the autoconf and gcc 3.x support (among other things) has contributed to a much more diff --git a/Packaging b/Packaging index e1b8bc6..acfc94a 100644 --- a/Packaging +++ b/Packaging @@ -1,6 +1,10 @@ Packaging for Open Source Tripwire is maintained by various third parties: - * RPM: http://pkgs.fedoraproject.org/cgit/rpms/tripwire.git/ + * RPM (Fedora): http://pkgs.fedoraproject.org/cgit/rpms/tripwire.git/ + + * RPM (OpenSuSE): https://build.opensuse.org/package/show/security/tripwire + + * RPM (AIX): http://www.perzl.org/aix/index.php?n=Main.Tripwire * Debian: https://tracker.debian.org/pkg/tripwire @@ -10,6 +14,8 @@ Packaging for Open Source Tripwire is maintained by various third parties: * FreshPorts (BSD): http://www.freshports.org/security/tripwire + * MacPorts: https://trac.macports.org/browser/trunk/dports/security/tripwire + * NetBSD pkgsrc: http://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/security/tripwire/README.html NOTE: At present (March 2016), NetBSD provides the ancient Tripwire 1.2, from the mid-1990s. That version lacks contemporary hash algorithms, and you probably don't want to use it. diff --git a/ReadMe-2.4.3 b/ReadMe-2.4.3 index c051013..810f616 100644 --- a/ReadMe-2.4.3 +++ b/ReadMe-2.4.3 @@ -26,6 +26,7 @@ Linuxes - CentOS 7 (amd64) + gcc 4.8.5 - Ubuntu 14.0.4 (amd64) + gcc 4.x - RHEL 3.4 (Itanium) + gcc 3.4.3 +- Android 6.0 + gcc 4.9 OSX - Mac OS X 10.11 + LLVM 7.0.2 / clang-700.1.81 @@ -47,4 +48,17 @@ Other - Haiku R1 Alpha 4 + gcc 4 - Syllable 0.67 + gcc 4.1.2 - SkyOS 5 (beta 6947) + gcc 4.1.1 +- Sortix 1.0 + gcc 5.3.0 + + +Building Notes: + +* If cross compiling, a --disable-openssl argument must be passed to ./configure, +since its OpenSSL existence check currently uses an AC_TRY_RUN macro. + +* Recent Android versions may require additional compiler & linker arguments: +“-fPIE" in CFLAGS and "-fPIE -pie" in LDFLAGS. It's simplest to add these +to configure.in and run autoreconf -i instead of hand-editing each Makefile +individually. + diff --git a/autogen.sh b/autogen.sh new file mode 100755 index 0000000..5bce9ba --- /dev/null +++ b/autogen.sh @@ -0,0 +1,1578 @@ +#!/bin/sh +# a u t o g e n . s h +# +# Copyright (c) 2005-2009 United States Government as represented by +# the U.S. Army Research Laboratory. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# +# 3. The name of the author may not be used to endorse or promote +# products derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS +# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE +# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +### +# +# Script for automatically preparing the sources for compilation by +# performing the myriad of necessary steps. The script attempts to +# detect proper version support, and outputs warnings about particular +# systems that have autotool peculiarities. +# +# Basically, if everything is set up and installed correctly, the +# script will validate that minimum versions of the GNU Build System +# tools are installed, account for several common configuration +# issues, and then simply run autoreconf for you. +# +# If autoreconf fails, which can happen for many valid configurations, +# this script proceeds to run manual preparation steps effectively +# providing a POSIX shell script (mostly complete) reimplementation of +# autoreconf. +# +# The AUTORECONF, AUTOCONF, AUTOMAKE, LIBTOOLIZE, ACLOCAL, AUTOHEADER +# environment variables and corresponding _OPTIONS variables (e.g. +# AUTORECONF_OPTIONS) may be used to override the default automatic +# detection behaviors. Similarly the _VERSION variables will override +# the minimum required version numbers. +# +# Examples: +# +# To obtain help on usage: +# ./autogen.sh --help +# +# To obtain verbose output: +# ./autogen.sh --verbose +# +# To skip autoreconf and prepare manually: +# AUTORECONF=false ./autogen.sh +# +# To verbosely try running with an older (unsupported) autoconf: +# AUTOCONF_VERSION=2.50 ./autogen.sh --verbose +# +# Author: +# Christopher Sean Morrison +# +# Patches: +# Sebastian Pipping +# +###################################################################### + +# set to minimum acceptable version of autoconf +if [ "x$AUTOCONF_VERSION" = "x" ] ; then + AUTOCONF_VERSION=2.52 +fi +# set to minimum acceptable version of automake +if [ "x$AUTOMAKE_VERSION" = "x" ] ; then + AUTOMAKE_VERSION=1.6.0 +fi +# set to minimum acceptable version of libtool +if [ "x$LIBTOOL_VERSION" = "x" ] ; then + LIBTOOL_VERSION=1.4.2 +fi + + +################## +# ident function # +################## +ident ( ) { + # extract copyright from header + __copyright="`grep Copyright $AUTOGEN_SH | head -${HEAD_N}1 | awk '{print $4}'`" + if [ "x$__copyright" = "x" ] ; then + __copyright="`date +%Y`" + fi + + # extract version from CVS Id string + __id="$Id: autogen.sh 33925 2009-03-01 23:27:06Z brlcad $" + __version="`echo $__id | sed 's/.*\([0-9][0-9][0-9][0-9]\)[-\/]\([0-9][0-9]\)[-\/]\([0-9][0-9]\).*/\1\2\3/'`" + if [ "x$__version" = "x" ] ; then + __version="" + fi + + echo "autogen.sh build preparation script by Christopher Sean Morrison" + echo " + config.guess download patch by Sebastian Pipping (2008-12-03)" + echo "revised 3-clause BSD-style license, copyright (c) $__copyright" + echo "script version $__version, ISO/IEC 9945 POSIX shell script" +} + + +################## +# USAGE FUNCTION # +################## +usage ( ) { + echo "Usage: $AUTOGEN_SH [-h|--help] [-v|--verbose] [-q|--quiet] [-d|--download] [--version]" + echo " --help Help on $NAME_OF_AUTOGEN usage" + echo " --verbose Verbose progress output" + echo " --quiet Quiet suppressed progress output" + echo " --download Download the latest config.guess from gnulib" + echo " --version Only perform GNU Build System version checks" + echo + echo "Description: This script will validate that minimum versions of the" + echo "GNU Build System tools are installed and then run autoreconf for you." + echo "Should autoreconf fail, manual preparation steps will be run" + echo "potentially accounting for several common preparation issues. The" + + echo "AUTORECONF, AUTOCONF, AUTOMAKE, LIBTOOLIZE, ACLOCAL, AUTOHEADER," + echo "PROJECT, & CONFIGURE environment variables and corresponding _OPTIONS" + echo "variables (e.g. AUTORECONF_OPTIONS) may be used to override the" + echo "default automatic detection behavior." + echo + + ident + + return 0 +} + + +########################## +# VERSION_ERROR FUNCTION # +########################## +version_error ( ) { + if [ "x$1" = "x" ] ; then + echo "INTERNAL ERROR: version_error was not provided a version" + exit 1 + fi + if [ "x$2" = "x" ] ; then + echo "INTERNAL ERROR: version_error was not provided an application name" + exit 1 + fi + $ECHO + $ECHO "ERROR: To prepare the ${PROJECT} build system from scratch," + $ECHO " at least version $1 of $2 must be installed." + $ECHO + $ECHO "$NAME_OF_AUTOGEN does not need to be run on the same machine that will" + $ECHO "run configure or make. Either the GNU Autotools will need to be installed" + $ECHO "or upgraded on this system, or $NAME_OF_AUTOGEN must be run on the source" + $ECHO "code on another system and then transferred to here. -- Cheers!" + $ECHO +} + +########################## +# VERSION_CHECK FUNCTION # +########################## +version_check ( ) { + if [ "x$1" = "x" ] ; then + echo "INTERNAL ERROR: version_check was not provided a minimum version" + exit 1 + fi + _min="$1" + if [ "x$2" = "x" ] ; then + echo "INTERNAL ERROR: version check was not provided a comparison version" + exit 1 + fi + _cur="$2" + + # needed to handle versions like 1.10 and 1.4-p6 + _min="`echo ${_min}. | sed 's/[^0-9]/./g' | sed 's/\.\././g'`" + _cur="`echo ${_cur}. | sed 's/[^0-9]/./g' | sed 's/\.\././g'`" + + _min_major="`echo $_min | cut -d. -f1`" + _min_minor="`echo $_min | cut -d. -f2`" + _min_patch="`echo $_min | cut -d. -f3`" + + _cur_major="`echo $_cur | cut -d. -f1`" + _cur_minor="`echo $_cur | cut -d. -f2`" + _cur_patch="`echo $_cur | cut -d. -f3`" + + if [ "x$_min_major" = "x" ] ; then + _min_major=0 + fi + if [ "x$_min_minor" = "x" ] ; then + _min_minor=0 + fi + if [ "x$_min_patch" = "x" ] ; then + _min_patch=0 + fi + if [ "x$_cur_minor" = "x" ] ; then + _cur_major=0 + fi + if [ "x$_cur_minor" = "x" ] ; then + _cur_minor=0 + fi + if [ "x$_cur_patch" = "x" ] ; then + _cur_patch=0 + fi + + $VERBOSE_ECHO "Checking if ${_cur_major}.${_cur_minor}.${_cur_patch} is greater than ${_min_major}.${_min_minor}.${_min_patch}" + + if [ $_min_major -lt $_cur_major ] ; then + return 0 + elif [ $_min_major -eq $_cur_major ] ; then + if [ $_min_minor -lt $_cur_minor ] ; then + return 0 + elif [ $_min_minor -eq $_cur_minor ] ; then + if [ $_min_patch -lt $_cur_patch ] ; then + return 0 + elif [ $_min_patch -eq $_cur_patch ] ; then + return 0 + fi + fi + fi + return 1 +} + + +###################################### +# LOCATE_CONFIGURE_TEMPLATE FUNCTION # +###################################### +locate_configure_template ( ) { + _pwd="`pwd`" + if test -f "./configure.ac" ; then + echo "./configure.ac" + elif test -f "./configure.in" ; then + echo "./configure.in" + elif test -f "$_pwd/configure.ac" ; then + echo "$_pwd/configure.ac" + elif test -f "$_pwd/configure.in" ; then + echo "$_pwd/configure.in" + elif test -f "$PATH_TO_AUTOGEN/configure.ac" ; then + echo "$PATH_TO_AUTOGEN/configure.ac" + elif test -f "$PATH_TO_AUTOGEN/configure.in" ; then + echo "$PATH_TO_AUTOGEN/configure.in" + fi +} + + +################## +# argument check # +################## +ARGS="$*" +PATH_TO_AUTOGEN="`dirname $0`" +NAME_OF_AUTOGEN="`basename $0`" +AUTOGEN_SH="$PATH_TO_AUTOGEN/$NAME_OF_AUTOGEN" + +LIBTOOL_M4="${PATH_TO_AUTOGEN}/misc/libtool.m4" + +if [ "x$HELP" = "x" ] ; then + HELP=no +fi +if [ "x$QUIET" = "x" ] ; then + QUIET=no +fi +if [ "x$VERBOSE" = "x" ] ; then + VERBOSE=no +fi +if [ "x$VERSION_ONLY" = "x" ] ; then + VERSION_ONLY=no +fi +if [ "x$DOWNLOAD" = "x" ] ; then + DOWNLOAD=no +fi +if [ "x$AUTORECONF_OPTIONS" = "x" ] ; then + AUTORECONF_OPTIONS="-i -f" +fi +if [ "x$AUTOCONF_OPTIONS" = "x" ] ; then + AUTOCONF_OPTIONS="-f" +fi +if [ "x$AUTOMAKE_OPTIONS" = "x" ] ; then + AUTOMAKE_OPTIONS="-a -c -f" +fi +ALT_AUTOMAKE_OPTIONS="-a -c" +if [ "x$LIBTOOLIZE_OPTIONS" = "x" ] ; then + LIBTOOLIZE_OPTIONS="--automake -c -f" +fi +ALT_LIBTOOLIZE_OPTIONS="--automake --copy --force" +if [ "x$ACLOCAL_OPTIONS" = "x" ] ; then + ACLOCAL_OPTIONS="" +fi +if [ "x$AUTOHEADER_OPTIONS" = "x" ] ; then + AUTOHEADER_OPTIONS="" +fi +if [ "x$CONFIG_GUESS_URL" = "x" ] ; then + CONFIG_GUESS_URL="http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob_plain;f=build-aux/config.guess;hb=HEAD" +fi +for arg in $ARGS ; do + case "x$arg" in + x--help) HELP=yes ;; + x-[hH]) HELP=yes ;; + x--quiet) QUIET=yes ;; + x-[qQ]) QUIET=yes ;; + x--verbose) VERBOSE=yes ;; + x-[dD]) DOWNLOAD=yes ;; + x--download) DOWNLOAD=yes ;; + x-[vV]) VERBOSE=yes ;; + x--version) VERSION_ONLY=yes ;; + *) + echo "Unknown option: $arg" + echo + usage + exit 1 + ;; + esac +done + + +##################### +# environment check # +##################### + +# sanity check before recursions potentially begin +if [ ! -f "$AUTOGEN_SH" ] ; then + echo "INTERNAL ERROR: $AUTOGEN_SH does not exist" + if [ ! "x$0" = "x$AUTOGEN_SH" ] ; then + echo "INTERNAL ERROR: dirname/basename inconsistency: $0 != $AUTOGEN_SH" + fi + exit 1 +fi + +# force locale setting to C so things like date output as expected +LC_ALL=C + +# commands that this script expects +for __cmd in echo head tail pwd ; do + echo "test" | $__cmd > /dev/null 2>&1 + if [ $? != 0 ] ; then + echo "INTERNAL ERROR: '${__cmd}' command is required" + exit 2 + fi +done +echo "test" | grep "test" > /dev/null 2>&1 +if test ! x$? = x0 ; then + echo "INTERNAL ERROR: grep command is required" + exit 1 +fi +echo "test" | sed "s/test/test/" > /dev/null 2>&1 +if test ! x$? = x0 ; then + echo "INTERNAL ERROR: sed command is required" + exit 1 +fi + + +# determine the behavior of echo +case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in + *c*,-n*) ECHO_N= ECHO_C=' +' ECHO_T=' ' ;; + *c*,* ) ECHO_N=-n ECHO_C= ECHO_T= ;; + *) ECHO_N= ECHO_C='\c' ECHO_T= ;; +esac + +# determine the behavior of head +case "x`echo 'head' | head -n 1 2>&1`" in + *xhead*) HEAD_N="n " ;; + *) HEAD_N="" ;; +esac + +# determine the behavior of tail +case "x`echo 'tail' | tail -n 1 2>&1`" in + *xtail*) TAIL_N="n " ;; + *) TAIL_N="" ;; +esac + +VERBOSE_ECHO=: +ECHO=: +if [ "x$QUIET" = "xyes" ] ; then + if [ "x$VERBOSE" = "xyes" ] ; then + echo "Verbose output quelled by quiet option. Further output disabled." + fi +else + ECHO=echo + if [ "x$VERBOSE" = "xyes" ] ; then + echo "Verbose output enabled" + VERBOSE_ECHO=echo + fi +fi + + +# allow a recursive run to disable further recursions +if [ "x$RUN_RECURSIVE" = "x" ] ; then + RUN_RECURSIVE=yes +fi + + +################################################ +# check for help arg and bypass version checks # +################################################ +if [ "x`echo $ARGS | sed 's/.*[hH][eE][lL][pP].*/help/'`" = "xhelp" ] ; then + HELP=yes +fi +if [ "x$HELP" = "xyes" ] ; then + usage + $ECHO "---" + $ECHO "Help was requested. No preparation or configuration will be performed." + exit 0 +fi + + +####################### +# set up signal traps # +####################### +untrap_abnormal ( ) { + for sig in 1 2 13 15; do + trap - $sig + done +} + +# do this cleanup whenever we exit. +trap ' + # start from the root + if test -d "$START_PATH" ; then + cd "$START_PATH" + fi + + # restore/delete backup files + if test "x$PFC_INIT" = "x1" ; then + recursive_restore + fi +' 0 + +# trap SIGHUP (1), SIGINT (2), SIGPIPE (13), SIGTERM (15) +for sig in 1 2 13 15; do + trap ' + $ECHO "" + $ECHO "Aborting $NAME_OF_AUTOGEN: caught signal '$sig'" + + # start from the root + if test -d "$START_PATH" ; then + cd "$START_PATH" + fi + + # clean up on abnormal exit + $VERBOSE_ECHO "rm -rf autom4te.cache" + rm -rf autom4te.cache + + if test -f "acinclude.m4.$$.backup" ; then + $VERBOSE_ECHO "cat acinclude.m4.$$.backup > acinclude.m4" + chmod u+w acinclude.m4 + cat acinclude.m4.$$.backup > acinclude.m4 + + $VERBOSE_ECHO "rm -f acinclude.m4.$$.backup" + rm -f acinclude.m4.$$.backup + fi + + { (exit 1); exit 1; } +' $sig +done + + +############################# +# look for a configure file # +############################# +if [ "x$CONFIGURE" = "x" ] ; then + CONFIGURE="`locate_configure_template`" + if [ ! "x$CONFIGURE" = "x" ] ; then + $VERBOSE_ECHO "Found a configure template: $CONFIGURE" + fi +else + $ECHO "Using CONFIGURE environment variable override: $CONFIGURE" +fi +if [ "x$CONFIGURE" = "x" ] ; then + if [ "x$VERSION_ONLY" = "xyes" ] ; then + CONFIGURE=/dev/null + else + $ECHO + $ECHO "A configure.ac or configure.in file could not be located implying" + $ECHO "that the GNU Build System is at least not used in this directory. In" + $ECHO "any case, there is nothing to do here without one of those files." + $ECHO + $ECHO "ERROR: No configure.in or configure.ac file found in `pwd`" + exit 1 + fi +fi + +#################### +# get project name # +#################### +if [ "x$PROJECT" = "x" ] ; then + PROJECT="`grep AC_INIT $CONFIGURE | grep -v '.*#.*AC_INIT' | tail -${TAIL_N}1 | sed 's/^[ ]*AC_INIT(\([^,)]*\).*/\1/' | sed 's/.*\[\(.*\)\].*/\1/'`" + if [ "x$PROJECT" = "xAC_INIT" ] ; then + # projects might be using the older/deprecated arg-less AC_INIT .. look for AM_INIT_AUTOMAKE instead + PROJECT="`grep AM_INIT_AUTOMAKE $CONFIGURE | grep -v '.*#.*AM_INIT_AUTOMAKE' | tail -${TAIL_N}1 | sed 's/^[ ]*AM_INIT_AUTOMAKE(\([^,)]*\).*/\1/' | sed 's/.*\[\(.*\)\].*/\1/'`" + fi + if [ "x$PROJECT" = "xAM_INIT_AUTOMAKE" ] ; then + PROJECT="project" + fi + if [ "x$PROJECT" = "x" ] ; then + PROJECT="project" + fi +else + $ECHO "Using PROJECT environment variable override: $PROJECT" +fi +$ECHO "Preparing the $PROJECT build system...please wait" +$ECHO + + +######################## +# check for autoreconf # +######################## +HAVE_AUTORECONF=no +if [ "x$AUTORECONF" = "x" ] ; then + for AUTORECONF in autoreconf ; do + $VERBOSE_ECHO "Checking autoreconf version: $AUTORECONF --version" + $AUTORECONF --version > /dev/null 2>&1 + if [ $? = 0 ] ; then + HAVE_AUTORECONF=yes + break + fi + done +else + HAVE_AUTORECONF=yes + $ECHO "Using AUTORECONF environment variable override: $AUTORECONF" +fi + + +########################## +# autoconf version check # +########################## +_acfound=no +if [ "x$AUTOCONF" = "x" ] ; then + for AUTOCONF in autoconf ; do + $VERBOSE_ECHO "Checking autoconf version: $AUTOCONF --version" + $AUTOCONF --version > /dev/null 2>&1 + if [ $? = 0 ] ; then + _acfound=yes + break + fi + done +else + _acfound=yes + $ECHO "Using AUTOCONF environment variable override: $AUTOCONF" +fi + +_report_error=no +if [ ! "x$_acfound" = "xyes" ] ; then + $ECHO "ERROR: Unable to locate GNU Autoconf." + _report_error=yes +else + _version="`$AUTOCONF --version | head -${HEAD_N}1 | sed 's/[^0-9]*\([0-9\.][0-9\.]*\)/\1/'`" + if [ "x$_version" = "x" ] ; then + _version="0.0.0" + fi + $ECHO "Found GNU Autoconf version $_version" + version_check "$AUTOCONF_VERSION" "$_version" + if [ $? -ne 0 ] ; then + _report_error=yes + fi +fi +if [ "x$_report_error" = "xyes" ] ; then + version_error "$AUTOCONF_VERSION" "GNU Autoconf" + exit 1 +fi + + +########################## +# automake version check # +########################## +_amfound=no +if [ "x$AUTOMAKE" = "x" ] ; then + for AUTOMAKE in automake ; do + $VERBOSE_ECHO "Checking automake version: $AUTOMAKE --version" + $AUTOMAKE --version > /dev/null 2>&1 + if [ $? = 0 ] ; then + _amfound=yes + break + fi + done +else + _amfound=yes + $ECHO "Using AUTOMAKE environment variable override: $AUTOMAKE" +fi + + +_report_error=no +if [ ! "x$_amfound" = "xyes" ] ; then + $ECHO + $ECHO "ERROR: Unable to locate GNU Automake." + _report_error=yes +else + _version="`$AUTOMAKE --version | head -${HEAD_N}1 | sed 's/[^0-9]*\([0-9\.][0-9\.]*\)/\1/'`" + if [ "x$_version" = "x" ] ; then + _version="0.0.0" + fi + $ECHO "Found GNU Automake version $_version" + version_check "$AUTOMAKE_VERSION" "$_version" + if [ $? -ne 0 ] ; then + _report_error=yes + fi +fi +if [ "x$_report_error" = "xyes" ] ; then + version_error "$AUTOMAKE_VERSION" "GNU Automake" + exit 1 +fi + + +######################## +# check for libtoolize # +######################## +HAVE_LIBTOOLIZE=yes +HAVE_ALT_LIBTOOLIZE=no +_ltfound=no +if [ "x$LIBTOOLIZE" = "x" ] ; then + LIBTOOLIZE=libtoolize + $VERBOSE_ECHO "Checking libtoolize version: $LIBTOOLIZE --version" + $LIBTOOLIZE --version > /dev/null 2>&1 + if [ ! $? = 0 ] ; then + HAVE_LIBTOOLIZE=no + $ECHO + if [ "x$HAVE_AUTORECONF" = "xno" ] ; then + $ECHO "Warning: libtoolize does not appear to be available." + else + $ECHO "Warning: libtoolize does not appear to be available. This means that" + $ECHO "the automatic build preparation via autoreconf will probably not work." + $ECHO "Preparing the build by running each step individually, however, should" + $ECHO "work and will be done automatically for you if autoreconf fails." + fi + + # look for some alternates + for tool in glibtoolize libtoolize15 libtoolize14 libtoolize13 ; do + $VERBOSE_ECHO "Checking libtoolize alternate: $tool --version" + _glibtoolize="`$tool --version > /dev/null 2>&1`" + if [ $? = 0 ] ; then + $VERBOSE_ECHO "Found $tool --version" + _glti="`which $tool`" + if [ "x$_glti" = "x" ] ; then + $VERBOSE_ECHO "Cannot find $tool with which" + continue; + fi + if test ! -f "$_glti" ; then + $VERBOSE_ECHO "Cannot use $tool, $_glti is not a file" + continue; + fi + _gltidir="`dirname $_glti`" + if [ "x$_gltidir" = "x" ] ; then + $VERBOSE_ECHO "Cannot find $tool path with dirname of $_glti" + continue; + fi + if test ! -d "$_gltidir" ; then + $VERBOSE_ECHO "Cannot use $tool, $_gltidir is not a directory" + continue; + fi + HAVE_ALT_LIBTOOLIZE=yes + LIBTOOLIZE="$tool" + $ECHO + $ECHO "Fortunately, $tool was found which means that your system may simply" + $ECHO "have a non-standard or incomplete GNU Autotools install. If you have" + $ECHO "sufficient system access, it may be possible to quell this warning by" + $ECHO "running:" + $ECHO + sudo -V > /dev/null 2>&1 + if [ $? = 0 ] ; then + $ECHO " sudo ln -s $_glti $_gltidir/libtoolize" + $ECHO + else + $ECHO " ln -s $_glti $_gltidir/libtoolize" + $ECHO + $ECHO "Run that as root or with proper permissions to the $_gltidir directory" + $ECHO + fi + _ltfound=yes + break + fi + done + else + _ltfound=yes + fi +else + _ltfound=yes + $ECHO "Using LIBTOOLIZE environment variable override: $LIBTOOLIZE" +fi + + +############################ +# libtoolize version check # +############################ +_report_error=no +if [ ! "x$_ltfound" = "xyes" ] ; then + $ECHO + $ECHO "ERROR: Unable to locate GNU Libtool." + _report_error=yes +else + _version="`$LIBTOOLIZE --version | head -${HEAD_N}1 | sed 's/[^0-9]*\([0-9\.][0-9\.]*\)/\1/'`" + if [ "x$_version" = "x" ] ; then + _version="0.0.0" + fi + $ECHO "Found GNU Libtool version $_version" + version_check "$LIBTOOL_VERSION" "$_version" + if [ $? -ne 0 ] ; then + _report_error=yes + fi +fi +if [ "x$_report_error" = "xyes" ] ; then + version_error "$LIBTOOL_VERSION" "GNU Libtool" + exit 1 +fi + + +##################### +# check for aclocal # +##################### +if [ "x$ACLOCAL" = "x" ] ; then + for ACLOCAL in aclocal ; do + $VERBOSE_ECHO "Checking aclocal version: $ACLOCAL --version" + $ACLOCAL --version > /dev/null 2>&1 + if [ $? = 0 ] ; then + break + fi + done +else + $ECHO "Using ACLOCAL environment variable override: $ACLOCAL" +fi + + +######################## +# check for autoheader # +######################## +if [ "x$AUTOHEADER" = "x" ] ; then + for AUTOHEADER in autoheader ; do + $VERBOSE_ECHO "Checking autoheader version: $AUTOHEADER --version" + $AUTOHEADER --version > /dev/null 2>&1 + if [ $? = 0 ] ; then + break + fi + done +else + $ECHO "Using AUTOHEADER environment variable override: $AUTOHEADER" +fi + + +######################### +# check if version only # +######################### +$VERBOSE_ECHO "Checking whether to only output version information" +if [ "x$VERSION_ONLY" = "xyes" ] ; then + $ECHO + ident + $ECHO "---" + $ECHO "Version requested. No preparation or configuration will be performed." + exit 0 +fi + + +################################# +# PROTECT_FROM_CLOBBER FUNCTION # +################################# +protect_from_clobber ( ) { + PFC_INIT=1 + + # protect COPYING & INSTALL from overwrite by automake. the + # automake force option will (inappropriately) ignore the existing + # contents of a COPYING and/or INSTALL files (depending on the + # version) instead of just forcing *missing* files like it does + # for AUTHORS, NEWS, and README. this is broken but extremely + # prevalent behavior, so we protect against it by keeping a backup + # of the file that can later be restored. + + for file in COPYING INSTALL ; do + if test -f ${file} ; then + if test -f ${file}.$$.protect_from_automake.backup ; then + $VERBOSE_ECHO "Already backed up ${file} in `pwd`" + else + $VERBOSE_ECHO "Backing up ${file} in `pwd`" + $VERBOSE_ECHO "cp -p ${file} ${file}.$$.protect_from_automake.backup" + cp -p ${file} ${file}.$$.protect_from_automake.backup + fi + fi + done +} + + +############################## +# RECURSIVE_PROTECT FUNCTION # +############################## +recursive_protect ( ) { + + # for projects using recursive configure, run the build + # preparation steps for the subdirectories. this function assumes + # START_PATH was set to pwd before recursion begins so that + # relative paths work. + + # git 'r done, protect COPYING and INSTALL from being clobbered + protect_from_clobber + + if test -d autom4te.cache ; then + $VERBOSE_ECHO "Found an autom4te.cache directory, deleting it" + $VERBOSE_ECHO "rm -rf autom4te.cache" + rm -rf autom4te.cache + fi + + # find configure template + _configure="`locate_configure_template`" + if [ "x$_configure" = "x" ] ; then + return + fi + # $VERBOSE_ECHO "Looking for configure template found `pwd`/$_configure" + + # look for subdirs + # $VERBOSE_ECHO "Looking for subdirs in `pwd`" + _det_config_subdirs="`grep AC_CONFIG_SUBDIRS $_configure | grep -v '.*#.*AC_CONFIG_SUBDIRS' | sed 's/^[ ]*AC_CONFIG_SUBDIRS(\(.*\)).*/\1/' | sed 's/.*\[\(.*\)\].*/\1/'`" + CHECK_DIRS="" + for dir in $_det_config_subdirs ; do + if test -d "`pwd`/$dir" ; then + CHECK_DIRS="$CHECK_DIRS \"`pwd`/$dir\"" + fi + done + + # process subdirs + if [ ! "x$CHECK_DIRS" = "x" ] ; then + $VERBOSE_ECHO "Recursively scanning the following directories:" + $VERBOSE_ECHO " $CHECK_DIRS" + for dir in $CHECK_DIRS ; do + $VERBOSE_ECHO "Protecting files from automake in $dir" + cd "$START_PATH" + eval "cd $dir" + + # recursively git 'r done + recursive_protect + done + fi +} # end of recursive_protect + + +############################# +# RESTORE_CLOBBERED FUNCION # +############################# +restore_clobbered ( ) { + + # The automake (and autoreconf by extension) -f/--force-missing + # option may overwrite COPYING and INSTALL even if they do exist. + # Here we restore the files if necessary. + + spacer=no + + for file in COPYING INSTALL ; do + if test -f ${file}.$$.protect_from_automake.backup ; then + if test -f ${file} ; then + # compare entire content, restore if needed + if test "x`cat ${file}`" != "x`cat ${file}.$$.protect_from_automake.backup`" ; then + if test "x$spacer" = "xno" ; then + $VERBOSE_ECHO + spacer=yes + fi + # restore the backup + $VERBOSE_ECHO "Restoring ${file} from backup (automake -f likely clobbered it)" + $VERBOSE_ECHO "rm -f ${file}" + rm -f ${file} + $VERBOSE_ECHO "mv ${file}.$$.protect_from_automake.backup ${file}" + mv ${file}.$$.protect_from_automake.backup ${file} + fi # check contents + elif test -f ${file}.$$.protect_from_automake.backup ; then + $VERBOSE_ECHO "mv ${file}.$$.protect_from_automake.backup ${file}" + mv ${file}.$$.protect_from_automake.backup ${file} + fi # -f ${file} + + # just in case + $VERBOSE_ECHO "rm -f ${file}.$$.protect_from_automake.backup" + rm -f ${file}.$$.protect_from_automake.backup + fi # -f ${file}.$$.protect_from_automake.backup + done + + CONFIGURE="`locate_configure_template`" + if [ "x$CONFIGURE" = "x" ] ; then + return + fi + + _aux_dir="`grep AC_CONFIG_AUX_DIR $CONFIGURE | grep -v '.*#.*AC_CONFIG_AUX_DIR' | tail -${TAIL_N}1 | sed 's/^[ ]*AC_CONFIG_AUX_DIR(\(.*\)).*/\1/' | sed 's/.*\[\(.*\)\].*/\1/'`" + if test ! -d "$_aux_dir" ; then + _aux_dir=. + fi + + for file in config.guess config.sub ltmain.sh ; do + if test -f "${_aux_dir}/${file}" ; then + $VERBOSE_ECHO "rm -f \"${_aux_dir}/${file}.backup\"" + rm -f "${_aux_dir}/${file}.backup" + fi + done +} # end of restore_clobbered + + +############################## +# RECURSIVE_RESTORE FUNCTION # +############################## +recursive_restore ( ) { + + # restore COPYING and INSTALL from backup if they were clobbered + # for each directory recursively. + + # git 'r undone + restore_clobbered + + # find configure template + _configure="`locate_configure_template`" + if [ "x$_configure" = "x" ] ; then + return + fi + + # look for subdirs + _det_config_subdirs="`grep AC_CONFIG_SUBDIRS $_configure | grep -v '.*#.*AC_CONFIG_SUBDIRS' | sed 's/^[ ]*AC_CONFIG_SUBDIRS(\(.*\)).*/\1/' | sed 's/.*\[\(.*\)\].*/\1/'`" + CHECK_DIRS="" + for dir in $_det_config_subdirs ; do + if test -d "`pwd`/$dir" ; then + CHECK_DIRS="$CHECK_DIRS \"`pwd`/$dir\"" + fi + done + + # process subdirs + if [ ! "x$CHECK_DIRS" = "x" ] ; then + $VERBOSE_ECHO "Recursively scanning the following directories:" + $VERBOSE_ECHO " $CHECK_DIRS" + for dir in $CHECK_DIRS ; do + $VERBOSE_ECHO "Checking files for automake damage in $dir" + cd "$START_PATH" + eval "cd $dir" + + # recursively git 'r undone + recursive_restore + done + fi +} # end of recursive_restore + + +####################### +# INITIALIZE FUNCTION # +####################### +initialize ( ) { + + # this routine performs a variety of directory-specific + # initializations. some are sanity checks, some are preventive, + # and some are necessary setup detection. + # + # this function sets: + # CONFIGURE + # SEARCH_DIRS + # CONFIG_SUBDIRS + + ################################## + # check for a configure template # + ################################## + CONFIGURE="`locate_configure_template`" + if [ "x$CONFIGURE" = "x" ] ; then + $ECHO + $ECHO "A configure.ac or configure.in file could not be located implying" + $ECHO "that the GNU Build System is at least not used in this directory. In" + $ECHO "any case, there is nothing to do here without one of those files." + $ECHO + $ECHO "ERROR: No configure.in or configure.ac file found in `pwd`" + exit 1 + fi + + ##################### + # detect an aux dir # + ##################### + _aux_dir="`grep AC_CONFIG_AUX_DIR $CONFIGURE | grep -v '.*#.*AC_CONFIG_AUX_DIR' | tail -${TAIL_N}1 | sed 's/^[ ]*AC_CONFIG_AUX_DIR(\(.*\)).*/\1/' | sed 's/.*\[\(.*\)\].*/\1/'`" + if test ! -d "$_aux_dir" ; then + _aux_dir=. + else + $VERBOSE_ECHO "Detected auxillary directory: $_aux_dir" + fi + + ################################ + # detect a recursive configure # + ################################ + CONFIG_SUBDIRS="" + _det_config_subdirs="`grep AC_CONFIG_SUBDIRS $CONFIGURE | grep -v '.*#.*AC_CONFIG_SUBDIRS' | sed 's/^[ ]*AC_CONFIG_SUBDIRS(\(.*\)).*/\1/' | sed 's/.*\[\(.*\)\].*/\1/'`" + for dir in $_det_config_subdirs ; do + if test -d "`pwd`/$dir" ; then + $VERBOSE_ECHO "Detected recursive configure directory: `pwd`/$dir" + CONFIG_SUBDIRS="$CONFIG_SUBDIRS `pwd`/$dir" + fi + done + + ########################################################### + # make sure certain required files exist for GNU projects # + ########################################################### + _marker_found="" + _marker_found_message_intro='Detected non-GNU marker "' + _marker_found_message_mid='" in ' + for marker in foreign cygnus ; do + _marker_found_message=${_marker_found_message_intro}${marker}${_marker_found_message_mid} + _marker_found="`grep 'AM_INIT_AUTOMAKE.*'${marker} $CONFIGURE`" + if [ ! "x$_marker_found" = "x" ] ; then + $VERBOSE_ECHO "${_marker_found_message}`basename \"$CONFIGURE\"`" + break + fi + if test -f "`dirname \"$CONFIGURE\"/Makefile.am`" ; then + _marker_found="`grep 'AUTOMAKE_OPTIONS.*'${marker} Makefile.am`" + if [ ! "x$_marker_found" = "x" ] ; then + $VERBOSE_ECHO "${_marker_found_message}Makefile.am" + break + fi + fi + done + if [ "x${_marker_found}" = "x" ] ; then + _suggest_foreign=no + for file in AUTHORS COPYING ChangeLog INSTALL NEWS README ; do + if [ ! -f $file ] ; then + $VERBOSE_ECHO "Touching ${file} since it does not exist" + _suggest_foreign=yes + touch $file + fi + done + + if [ "x${_suggest_foreign}" = "xyes" ] ; then + $ECHO + $ECHO "Warning: Several files expected of projects that conform to the GNU" + $ECHO "coding standards were not found. The files were automatically added" + $ECHO "for you since you do not have a 'foreign' declaration specified." + $ECHO + $ECHO "Considered adding 'foreign' to AM_INIT_AUTOMAKE in `basename \"$CONFIGURE\"`" + if test -f "`dirname \"$CONFIGURE\"/Makefile.am`" ; then + $ECHO "or to AUTOMAKE_OPTIONS in your top-level Makefile.am file." + fi + $ECHO + fi + fi + + ################################################## + # make sure certain generated files do not exist # + ################################################## + for file in config.guess config.sub ltmain.sh ; do + if test -f "${_aux_dir}/${file}" ; then + $VERBOSE_ECHO "mv -f \"${_aux_dir}/${file}\" \"${_aux_dir}/${file}.backup\"" + mv -f "${_aux_dir}/${file}" "${_aux_dir}/${file}.backup" + fi + done + + ############################ + # search alternate m4 dirs # + ############################ + SEARCH_DIRS="" + for dir in m4 ; do + if [ -d $dir ] ; then + $VERBOSE_ECHO "Found extra aclocal search directory: $dir" + SEARCH_DIRS="$SEARCH_DIRS -I $dir" + fi + done + + ###################################### + # remove any previous build products # + ###################################### + if test -d autom4te.cache ; then + $VERBOSE_ECHO "Found an autom4te.cache directory, deleting it" + $VERBOSE_ECHO "rm -rf autom4te.cache" + rm -rf autom4te.cache + fi +# tcl/tk (and probably others) have a customized aclocal.m4, so can't delete it +# if test -f aclocal.m4 ; then +# $VERBOSE_ECHO "Found an aclocal.m4 file, deleting it" +# $VERBOSE_ECHO "rm -f aclocal.m4" +# rm -f aclocal.m4 +# fi + +} # end of initialize() + + +############## +# initialize # +############## + +# stash path +START_PATH="`pwd`" + +# Before running autoreconf or manual steps, some prep detection work +# is necessary or useful. Only needs to occur once per directory, but +# does need to traverse the entire subconfigure hierarchy to protect +# files from being clobbered even by autoreconf. +recursive_protect + +# start from where we started +cd "$START_PATH" + +# get ready to process +initialize + + +######################################### +# DOWNLOAD_GNULIB_CONFIG_GUESS FUNCTION # +######################################### + +# TODO - should make sure wget/curl exist and/or work before trying to +# use them. + +download_gnulib_config_guess () { + # abuse gitweb to download gnulib's latest config.guess via HTTP + config_guess_temp="config.guess.$$.download" + ret=1 + for __cmd in wget curl fetch ; do + $VERBOSE_ECHO "Checking for command ${__cmd}" + ${__cmd} --version > /dev/null 2>&1 + ret=$? + if [ ! $ret = 0 ] ; then + continue + fi + + __cmd_version=`${__cmd} --version | head -n 1 | sed -e 's/^[^0-9]\+//' -e 's/ .*//'` + $VERBOSE_ECHO "Found ${__cmd} ${__cmd_version}" + + opts="" + case ${__cmd} in + wget) + opts="-O" + ;; + curl) + opts="-o" + ;; + fetch) + opts="-t 5 -f" + ;; + esac + + $VERBOSE_ECHO "Running $__cmd \"${CONFIG_GUESS_URL}\" $opts \"${config_guess_temp}\"" + eval "$__cmd \"${CONFIG_GUESS_URL}\" $opts \"${config_guess_temp}\"" > /dev/null 2>&1 + if [ $? = 0 ] ; then + mv -f "${config_guess_temp}" ${_aux_dir}/config.guess + ret=0 + break + fi + done + + if [ ! $ret = 0 ] ; then + $ECHO "Warning: config.guess download failed from: $CONFIG_GUESS_URL" + rm -f "${config_guess_temp}" + fi +} + + +############################## +# LIBTOOLIZE_NEEDED FUNCTION # +############################## +libtoolize_needed () { + ret=1 # means no, don't need libtoolize + for feature in AC_PROG_LIBTOOL AM_PROG_LIBTOOL LT_INIT ; do + $VERBOSE_ECHO "Searching for $feature in $CONFIGURE" + found="`grep \"^$feature.*\" $CONFIGURE`" + if [ ! "x$found" = "x" ] ; then + ret=0 # means yes, need to run libtoolize + break + fi + done + return ${ret} +} + + + +############################################ +# prepare build via autoreconf or manually # +############################################ +reconfigure_manually=no +if [ "x$HAVE_AUTORECONF" = "xyes" ] ; then + $ECHO + $ECHO $ECHO_N "Automatically preparing build ... $ECHO_C" + + $VERBOSE_ECHO "$AUTORECONF $SEARCH_DIRS $AUTORECONF_OPTIONS" + autoreconf_output="`$AUTORECONF $SEARCH_DIRS $AUTORECONF_OPTIONS 2>&1`" + ret=$? + $VERBOSE_ECHO "$autoreconf_output" + + if [ ! $ret = 0 ] ; then + if [ "x$HAVE_ALT_LIBTOOLIZE" = "xyes" ] ; then + if [ ! "x`echo \"$autoreconf_output\" | grep libtoolize | grep \"No such file or directory\"`" = "x" ] ; then + $ECHO + $ECHO "Warning: autoreconf failed but due to what is usually a common libtool" + $ECHO "misconfiguration issue. This problem is encountered on systems that" + $ECHO "have installed libtoolize under a different name without providing a" + $ECHO "symbolic link or without setting the LIBTOOLIZE environment variable." + $ECHO + $ECHO "Restarting the preparation steps with LIBTOOLIZE set to $LIBTOOLIZE" + + export LIBTOOLIZE + RUN_RECURSIVE=no + export RUN_RECURSIVE + untrap_abnormal + + $VERBOSE_ECHO sh $AUTOGEN_SH "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" + sh "$AUTOGEN_SH" "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" + exit $? + fi + fi + + $ECHO "Warning: $AUTORECONF failed" + + if test -f ltmain.sh ; then + $ECHO "libtoolize being run by autoreconf is not creating ltmain.sh in the auxillary directory like it should" + fi + + $ECHO "Attempting to run the preparation steps individually" + reconfigure_manually=yes + else + if [ "x$DOWNLOAD" = "xyes" ] ; then + if libtoolize_needed ; then + download_gnulib_config_guess + fi + fi + fi +else + reconfigure_manually=yes +fi + + +############################ +# LIBTOOL_FAILURE FUNCTION # +############################ +libtool_failure ( ) { + + # libtool is rather error-prone in comparison to the other + # autotools and this routine attempts to compensate for some + # common failures. the output after a libtoolize failure is + # parsed for an error related to AC_PROG_LIBTOOL and if found, we + # attempt to inject a project-provided libtool.m4 file. + + _autoconf_output="$1" + + if [ "x$RUN_RECURSIVE" = "xno" ] ; then + # we already tried the libtool.m4, don't try again + return 1 + fi + + if test -f "$LIBTOOL_M4" ; then + found_libtool="`$ECHO $_autoconf_output | grep AC_PROG_LIBTOOL`" + if test ! "x$found_libtool" = "x" ; then + if test -f acinclude.m4 ; then + rm -f acinclude.m4.$$.backup + $VERBOSE_ECHO "cat acinclude.m4 > acinclude.m4.$$.backup" + cat acinclude.m4 > acinclude.m4.$$.backup + fi + $VERBOSE_ECHO "cat \"$LIBTOOL_M4\" >> acinclude.m4" + chmod u+w acinclude.m4 + cat "$LIBTOOL_M4" >> acinclude.m4 + + # don't keep doing this + RUN_RECURSIVE=no + export RUN_RECURSIVE + untrap_abnormal + + $ECHO + $ECHO "Restarting the preparation steps with libtool macros in acinclude.m4" + $VERBOSE_ECHO sh $AUTOGEN_SH "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" + sh "$AUTOGEN_SH" "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" + exit $? + fi + fi +} + + +########################### +# MANUAL_AUTOGEN FUNCTION # +########################### +manual_autogen ( ) { + + ################################################## + # Manual preparation steps taken are as follows: # + # aclocal [-I m4] # + # libtoolize --automake -c -f # + # aclocal [-I m4] # + # autoconf -f # + # autoheader # + # automake -a -c -f # + ################################################## + + ########### + # aclocal # + ########### + $VERBOSE_ECHO "$ACLOCAL $SEARCH_DIRS $ACLOCAL_OPTIONS" + aclocal_output="`$ACLOCAL $SEARCH_DIRS $ACLOCAL_OPTIONS 2>&1`" + ret=$? + $VERBOSE_ECHO "$aclocal_output" + if [ ! $ret = 0 ] ; then $ECHO "ERROR: $ACLOCAL failed" && exit 2 ; fi + + ############## + # libtoolize # + ############## + if libtoolize_needed ; then + if [ "x$HAVE_LIBTOOLIZE" = "xyes" ] ; then + $VERBOSE_ECHO "$LIBTOOLIZE $LIBTOOLIZE_OPTIONS" + libtoolize_output="`$LIBTOOLIZE $LIBTOOLIZE_OPTIONS 2>&1`" + ret=$? + $VERBOSE_ECHO "$libtoolize_output" + + if [ ! $ret = 0 ] ; then $ECHO "ERROR: $LIBTOOLIZE failed" && exit 2 ; fi + else + if [ "x$HAVE_ALT_LIBTOOLIZE" = "xyes" ] ; then + $VERBOSE_ECHO "$LIBTOOLIZE $ALT_LIBTOOLIZE_OPTIONS" + libtoolize_output="`$LIBTOOLIZE $ALT_LIBTOOLIZE_OPTIONS 2>&1`" + ret=$? + $VERBOSE_ECHO "$libtoolize_output" + + if [ ! $ret = 0 ] ; then $ECHO "ERROR: $LIBTOOLIZE failed" && exit 2 ; fi + fi + fi + + ########### + # aclocal # + ########### + # re-run again as instructed by libtoolize + $VERBOSE_ECHO "$ACLOCAL $SEARCH_DIRS $ACLOCAL_OPTIONS" + aclocal_output="`$ACLOCAL $SEARCH_DIRS $ACLOCAL_OPTIONS 2>&1`" + ret=$? + $VERBOSE_ECHO "$aclocal_output" + + # libtoolize might put ltmain.sh in the wrong place + if test -f ltmain.sh ; then + if test ! -f "${_aux_dir}/ltmain.sh" ; then + $ECHO + $ECHO "Warning: $LIBTOOLIZE is creating ltmain.sh in the wrong directory" + $ECHO + $ECHO "Fortunately, the problem can be worked around by simply copying the" + $ECHO "file to the appropriate location (${_aux_dir}/). This has been done for you." + $ECHO + $VERBOSE_ECHO "cp -p ltmain.sh \"${_aux_dir}/ltmain.sh\"" + cp -p ltmain.sh "${_aux_dir}/ltmain.sh" + $ECHO $ECHO_N "Continuing build preparation ... $ECHO_C" + fi + fi # ltmain.sh + + if [ "x$DOWNLOAD" = "xyes" ] ; then + download_gnulib_config_guess + fi + fi # libtoolize_needed + + ############ + # autoconf # + ############ + $VERBOSE_ECHO + $VERBOSE_ECHO "$AUTOCONF $AUTOCONF_OPTIONS" + autoconf_output="`$AUTOCONF $AUTOCONF_OPTIONS 2>&1`" + ret=$? + $VERBOSE_ECHO "$autoconf_output" + + if [ ! $ret = 0 ] ; then + # retry without the -f and check for usage of macros that are too new + ac2_59_macros="AC_C_RESTRICT AC_INCLUDES_DEFAULT AC_LANG_ASSERT AC_LANG_WERROR AS_SET_CATFILE" + ac2_55_macros="AC_COMPILER_IFELSE AC_FUNC_MBRTOWC AC_HEADER_STDBOOL AC_LANG_CONFTEST AC_LANG_SOURCE AC_LANG_PROGRAM AC_LANG_CALL AC_LANG_FUNC_TRY_LINK AC_MSG_FAILURE AC_PREPROC_IFELSE" + ac2_54_macros="AC_C_BACKSLASH_A AC_CONFIG_LIBOBJ_DIR AC_GNU_SOURCE AC_PROG_EGREP AC_PROG_FGREP AC_REPLACE_FNMATCH AC_FUNC_FNMATCH_GNU AC_FUNC_REALLOC AC_TYPE_MBSTATE_T" + + macros_to_search="" + ac_major="`echo ${AUTOCONF_VERSION}. | cut -d. -f1 | sed 's/[^0-9]//g'`" + ac_minor="`echo ${AUTOCONF_VERSION}. | cut -d. -f2 | sed 's/[^0-9]//g'`" + + if [ $ac_major -lt 2 ] ; then + macros_to_search="$ac2_59_macros $ac2_55_macros $ac2_54_macros" + else + if [ $ac_minor -lt 54 ] ; then + macros_to_search="$ac2_59_macros $ac2_55_macros $ac2_54_macros" + elif [ $ac_minor -lt 55 ] ; then + macros_to_search="$ac2_59_macros $ac2_55_macros" + elif [ $ac_minor -lt 59 ] ; then + macros_to_search="$ac2_59_macros" + fi + fi + + configure_ac_macros=__none__ + for feature in $macros_to_search ; do + $VERBOSE_ECHO "Searching for $feature in $CONFIGURE" + found="`grep \"^$feature.*\" $CONFIGURE`" + if [ ! "x$found" = "x" ] ; then + if [ "x$configure_ac_macros" = "x__none__" ] ; then + configure_ac_macros="$feature" + else + configure_ac_macros="$feature $configure_ac_macros" + fi + fi + done + if [ ! "x$configure_ac_macros" = "x__none__" ] ; then + $ECHO + $ECHO "Warning: Unsupported macros were found in $CONFIGURE" + $ECHO + $ECHO "The `basename \"$CONFIGURE\"` file was scanned in order to determine if any" + $ECHO "unsupported macros are used that exceed the minimum version" + $ECHO "settings specified within this file. As such, the following macros" + $ECHO "should be removed from configure.ac or the version numbers in this" + $ECHO "file should be increased:" + $ECHO + $ECHO "$configure_ac_macros" + $ECHO + $ECHO $ECHO_N "Ignorantly continuing build preparation ... $ECHO_C" + fi + + ################### + # autoconf, retry # + ################### + $VERBOSE_ECHO + $VERBOSE_ECHO "$AUTOCONF" + autoconf_output="`$AUTOCONF 2>&1`" + ret=$? + $VERBOSE_ECHO "$autoconf_output" + + if [ ! $ret = 0 ] ; then + # test if libtool is busted + libtool_failure "$autoconf_output" + + # let the user know what went wrong + cat < + +Patches: +Sebastian Pipping + +The autogen.sh script is distributed under the terms of a standard +3-clause BSD-style license. See the script for the exact language. diff --git a/clean b/clean new file mode 100755 index 0000000..5fce5ae --- /dev/null +++ b/clean @@ -0,0 +1,4 @@ +#!/bin/sh +git clean -dff +git clean -Xff +rm -rf autom4te.cache diff --git a/contrib/generate_from_template b/contrib/generate_from_template new file mode 100755 index 0000000..d26fcf5 --- /dev/null +++ b/contrib/generate_from_template @@ -0,0 +1,12 @@ +#!/bin/sh +set -e + +if [ $# != 6 ]; then + echo "$0 file.in file.out TRIPWIRE_ROOT TRIPWIRE_ETC_DIR TRIPWIRE_DB_DIR TRIPWIRE_LOG_DIR" >&2 + echo >&2 + echo " file.in cannot be the same as file.out" >&2 + exit 1 +fi + +sed "s%TRIPWIRE_ROOT%$3%g;s%TRIPWIRE_ETC_DIR%$4;s%TRIPWIRE_DB_DIR%$5%g;s%TRIPWIRE_LOG_DIR%$6%g" "$1" > "$2" +test -x "$1" && chmod +x "$2" diff --git a/contrib/generic_install_scripts b/contrib/generic_install_scripts new file mode 100755 index 0000000..ab98845 --- /dev/null +++ b/contrib/generic_install_scripts @@ -0,0 +1,23 @@ +#!/bin/sh +# +# 1. install all tripwire_* scripts from contrib/ +# 2. installs policy and config text files +# 3. installs the plist but does not launch it +# +set -e + +## start config -- edits okay here +TRIPWIRE_ROOT="${TRIPWIRE_ROOT-/usr/local}" +TRIPWIRE_ETC_DIR="${TRIPWIRE_ETC_DIR-/etc}" +TRIPWIRE_DB_DIR="${TRIPWIRE_DB_DIR-/var/db/tripwire}" +TRIPWIRE_LOG_DIR="${TRIPWIRE_LOG_DIR-/var/log/tripwire}" +## end config -- dont edit past here + +mkdir -p "$TRIPWIRE_ROOT" "$TRIPWIRE_ETC_DIR" "$TRIPWIRE_DB_DIR" "$TRIPWIRE_LOG_DIR" + +THIS_SCRIPT_DIR="$(cd `dirname "$0"`; pwd)" +GENERATE_FROM_TEMPLATE="${THIS_SCRIPT}/generate_from_template" + +for GENERIC_SCRIPT in tripwire_*; do + "$GENERATE_FROM_TEMPLATE" $GENERIC_SCRIPT "$TRIPWIRE_ROOT/sbin/$GENERIC_SCRIPT" "$TRIPWIRE_ROOT" "$TRIPWIRE_ETC_DIR" "$TRIPWIRE_DB_DIR" "$TRIPWIRE_LOG_DIR" +done diff --git a/contrib/make-bin-dist b/contrib/make-bin-dist index ead54a6..cbe2952 100755 --- a/contrib/make-bin-dist +++ b/contrib/make-bin-dist @@ -1,21 +1,99 @@ -#!/bin/sh +#!/usr/bin/env bash # # A very cheesy script to prep a release # +set -e PRODUCT=tripwire VERSION=2.4.3.0 -ARCH=x86 -TYPE=bin -ROOT_DIR=$PRODUCT-$VERSION-$ARCH-$TYPE -EXCLUDES=.svn -mkdir $ROOT_DIR +platform() { + case `uname` in + Darwin) echo 'osx' ;; + Linux) echo 'linux' ;; + FreeBSD) echo 'freebsd' ;; + *) echo 'unknown' ;; + esac +} + + +arch() { + case "$1" in + osx|freebsd|linux) + if file bin/tripwire | grep -q '64-bit'; then + echo 'x86_64' + else + echo 'x86' + fi + ;; + *) echo 'unknown' + esac +} + +PLATFORM=$(platform) +ARCH=$(arch $PLATFORM) +TYPE=bin +ROOT_DIR=$PRODUCT-$VERSION-$PLATFORM-$ARCH-$TYPE +EXCLUDES='.svn .git .gitignore' + + + +EXCLUDES="$(for EXCLUDE in $EXCLUDES; do echo --exclude $EXCLUDE; done)" + +SCRIPT_DIR="$(cd `dirname $0`; pwd)" +SCRIPT_DIR_DOTDOT="$(dirname "$SCRIPT_DIR")" + +if ! test -x bin/tripwire* ; then + echo "tripwire not ready for release (bins not found in bin/ dir)" >&2 + exit 1 +fi + +trap 'RESULT=$?; rm -rf "$SCRIPT_DIR_DOTDOT/releases/$ROOT_DIR"; exit $RESULT' INT QUIT EXIT TERM ERR + +mkdir -p "$SCRIPT_DIR_DOTDOT/releases" +cd "$SCRIPT_DIR_DOTDOT/releases" +mkdir "$ROOT_DIR" ln -s ../bin ../contrib ../man ../policy $ROOT_DIR/ -ln -s ../COPYING ../ChangeLog ../INSTALL ../MAINTAINERS $ROOT_DIR/ +ln -s ../COPYING ../ChangeLog ../Packaging ../ReadMe-2.4.3 ../MAINTAINERS $ROOT_DIR/ ln -s ../TRADEMARK ../COMMERCIAL ../install ../install-sh $ROOT_DIR/ -tar jhcf $ROOT_DIR.tar.bz2 $ROOT_DIR --exclude $EXCLUDES +EXTENSIONS=(tar.bz2 tar.gz tar.xz) +TAR_OPTIONS=(j z J) -sha1sum $ROOT_DIR.tar.bz2 > $ROOT_DIR.sha1 -sha1sum bin/* >> $ROOT_DIR.sha1 +sha1() { + sha1sum "$@" || shasum "$@" +} + +sha512() { + sha512sum "$@" || shasum -a 512 "$@" +} + +sign() { + if which gpg >/dev/null 2>&1; then + gpg --detach-sign --output "$1.asc" "$1" + else + echo "gpg unavailable, release is unsigned !!" >&2 + exit 1 + fi +} + +for INDEX in 1 2 3; do + EXTENSION="${EXTENSIONS[$INDEX]}" + TAR_OPTIONS="${TAR_OPTIONS[$INDEX]}" + TARBALL="$ROOT_DIR.${EXTENSION}" + + tar $EXCLUDES -${TAR_OPTIONS}hcf $TARBALL $ROOT_DIR + + sha1 $TARBALL > $ROOT_DIR.sha1 + sha1 bin/* >> $ROOT_DIR.sha1 + + sha512 $TARBALL > $ROOT_DIR.sha512 + sha512 bin/* >> $ROOT_DIR.sha512 + + # sign the tarball + sign $TARBALL + + # sign the hashes + sign $ROOT_DIR.sha1 + sign $ROOT_DIR.sha512 +done diff --git a/contrib/osx/README.md b/contrib/osx/README.md new file mode 100644 index 0000000..2b49f8a --- /dev/null +++ b/contrib/osx/README.md @@ -0,0 +1,41 @@ +# OSX readme + +## What this does + +- Runs tripwire whenever connected to power +- Automatically grooms logs (not reports, its a todo) + + +## Installation + +1. Edit `./homebrew_install_scripts_and_config` to taste +2. Run `./homebrew_install_scripts_and_config` as root +3. Modify `TRIPWIRE_ETC_DIR/twcfg.txt` and `TRIPWIRE_ETC_DIR/twpol.txt` to taste +4. Make up two brand-new, 24+ character passwords (they MUST not be the same), and store them securely before continuing: + + - site passphrase + - local passphrase + +5. Run the following commands as root: + + ``` + TRIPWIRE_ROOT/sbin/tripwire_set_site_and_local_passphrases + TRIPWIRE_ROOT/sbin/tripwire_update_config_file # twcfg.txt -> tw.cfg + TRIPWIRE_ROOT/sbin/tripwire_update_policy_file # twpol.txt -> tw.pol + TRIPWIRE_ROOT/sbin/tripwire --init # this creates a new encrypted database + ``` + +6. Enable periodic jobs (run as root): + + ``` + launchctl load -w /Library/LaunchDaemons/org.tripwire.Tripwire.plist + ``` + + +## Uninstallation (run with sudo or su) + + launchctl unload -w /Library/LaunchDaemons/org.tripwire.Tripwire.plist + rm -f /Library/LaunchDaemons/org.tripwire.Tripwire.plist + TRIPWIRE_ROOT/sbin/tripwire_uninstall + # or remove everything: TRIPWIRE_ROOT/sbin/tripwire_uninstall -A + diff --git a/contrib/osx/homebrew_install_scripts_and_config b/contrib/osx/homebrew_install_scripts_and_config new file mode 100755 index 0000000..cc38feb --- /dev/null +++ b/contrib/osx/homebrew_install_scripts_and_config @@ -0,0 +1,35 @@ +#!/bin/sh +# +# 1. install all tripwire_* scripts from contrib/ and contrib/osx/ +# 2. installs policy and config text files +# 3. installs the plist but does not launch it +# +set -e + +## start config -- edits okay here +TRIPWIRE_ROOT="${TRIPWIRE_ROOT-/usr/local/tripwire}" +TRIPWIRE_ETC_DIR="${TRIPWIRE_ETC_DIR-$TRIPWIRE_ROOT/etc}" +TRIPWIRE_DB_DIR="${TRIPWIRE_DB_DIR-$TRIPWIRE_ROOT/lib/tripwire}" +TRIPWIRE_LOG_DIR="${TRIPWIRE_LOG_DIR-/usr/local/var/log}" +## end config -- dont edit past here +export TRIPWIRE_ROOT +export TRIPWIRE_ETC_DIR +export TRIPWIRE_DB_DIR +export TRIPWIRE_LOG_DIR + +THIS_SCRIPT_DIR="$(cd `dirname "$0"`; pwd)" +THIS_SCRIPT_DIR_DOTDOT="$(dirname "$THIS_SCRIPT_DIR")" +GENERATE_FROM_TEMPLATE="${THIS_SCRIPT_DIR_DOTDOT}/generate_from_template" + +"$THIS_SCRIPT_DIR_DOTDOT/generic_install_scripts" + +for OSX_SCRIPT in tripwire_*; do + "$GENERATE_FROM_TEMPLATE" $OSX_SCRIPT "$TRIPWIRE_ROOT/sbin/$OSX_SCRIPT" "$TRIPWIRE_ROOT" "$TRIPWIRE_ETC_DIR" "$TRIPWIRE_DB_DIR" "$TRIPWIRE_LOG_DIR" +done + +for ETC_FILE_SAMPLE in tw*.txt.sample; do + ETC_FILE="$(echo $ETC_FILE | sed 's/\.sample//')" + "$GENERATE_FROM_TEMPLATE" $ETC_FILE_SAMPLE "$TRIPWIRE_ETC_DIR/$ETC_FILE" "$TRIPWIRE_ROOT" "$TRIPWIRE_ETC_DIR" "$TRIPWIRE_DB_DIR" "$TRIPWIRE_LOG_DIR" +done + +"$GENERATE_FROM_TEMPLATE" org.tripwire.Tripwire.plist /Library/LaunchDaemons/org.tripwire.Tripwire.plist "$TRIPWIRE_ROOT" "$TRIPWIRE_ETC_DIR" "$TRIPWIRE_DB_DIR" "$TRIPWIRE_LOG_DIR" diff --git a/contrib/osx/org.tripwire.Tripwire.plist b/contrib/osx/org.tripwire.Tripwire.plist new file mode 100644 index 0000000..d885d93 --- /dev/null +++ b/contrib/osx/org.tripwire.Tripwire.plist @@ -0,0 +1,20 @@ + + + + + Label + org.tripwire.Tripwire + Nice + 5 + ProgramArguments + + TRIPWIRE_ROOT/sbin/tripwire_periodic_check + + Disabled + + RunAtLoad + + StartInterval + 3600 + + diff --git a/contrib/osx/twcfg.txt.sample b/contrib/osx/twcfg.txt.sample new file mode 100644 index 0000000..a0f2a00 --- /dev/null +++ b/contrib/osx/twcfg.txt.sample @@ -0,0 +1,15 @@ +ROOT =TRIPWIRE_ROOT/sbin +POLFILE =TRIPWIRE_ETC_DIR/tw.pol +DBFILE =TRIPWIRE_DB_DIR/$(HOSTNAME).twd +REPORTFILE =TRIPWIRE_DB_DIR/report/$(HOSTNAME)-$(DATE).twr +SITEKEYFILE =TRIPWIRE_ETC_DIR/site.key +LOCALKEYFILE =TRIPWIRE_ETC_DIR/$(HOSTNAME)-local.key +EDITOR =/usr/bin/vi +LATEPROMPTING =false +LOOSEDIRECTORYCHECKING =false +MAILNOVIOLATIONS =true +EMAILREPORTLEVEL =3 +REPORTLEVEL =3 +MAILMETHOD =SENDMAIL +SYSLOGREPORTING =false +MAILPROGRAM =/usr/sbin/sendmail -oi -t diff --git a/contrib/osx/twpol.txt.sample b/contrib/osx/twpol.txt.sample new file mode 100644 index 0000000..af49074 --- /dev/null +++ b/contrib/osx/twpol.txt.sample @@ -0,0 +1,366 @@ + ############################################################################## + # ## +############################################################################## # +# # # +# Policy file for Mac OS X # # +# December 31, 2013 # # +# ## +############################################################################## + + ############################################################################## + # ## +############################################################################## # +# # # +# Global Variable Definitions # # +# # # +# These are defined at install time by the installation script. You may # # +# manually edit these if you are using this file directly and not from the # # +# installation script itself. # # +# ## +############################################################################## + +@@section GLOBAL + +TW_ROOT="TRIPWIRE_ROOT" +TW_DB_DIR="TRIPWIRE_DB_DIR" +TW_ETC_DIR="TRIPWIRE_ETC_DIR" + +TWDOCS="$(TW_ROOT)/doc/tripwire"; +TWBIN="$(TW_ROOT)/sbin"; +TWPOL="$(TW_ETC_DIR)"; +TWDB="$(TW_DB_DIR)"; +TWSKEY="$(TW_ETC_DIR)"; +TWLKEY="$(TW_ETC_DIR)"; +TWREPORT="$(TW_DB_DIR)/report"; +#USER1=frodo ; + + + ############################################################################## + # Predefined Variables # +############################################################################## +# +# Property Masks +# +# - ignore the following properties +# + check the following properties +# +# a access timestamp (mutually exclusive with +CMSH) +# b number of blocks allocated +# c inode creation/modification timestamp +# d ID of device on which inode resides +# g group id of owner +# i inode number +# l growing files (logfiles for example) +# m modification timestamp +# n number of links +# p permission and file mode bits +# r ID of device pointed to by inode (valid only for device objects) +# s file size +# t file type +# u user id of owner +# +# C CRC-32 hash +# H HAVAL hash +# M MD5 hash +# S SHA hash +# +############################################################################## + +SEC_DEVICE = +pugsr-dintlbamcCMSH ; +SEC_DYNAMIC = +pinugt-dsrlbamcCMSH ; +SEC_READONLY = +pinugtsbmCM-drlacSH ; +SEC_GROWING = +pinugtl-dsrbamcCMSH ; + +IgnoreAll = -pinugtsdrlbamcCMSH ; +IgnoreNone = +pinugtsdrbamcCMSH-l ; +Temporary = +pugt ; + +@@section FS + + ######################################## + # ## +######################################## # +# # # +# Tripwire Binaries and Data Files # # +# ## +######################################## + +# Tripwire Binaries +( + rulename = "Tripwire Binaries", severity=100 +) +{ + $(TWBIN)/siggen -> $(SEC_READONLY) ; + $(TWBIN)/tripwire -> $(SEC_READONLY) ; + $(TWBIN)/twadmin -> $(SEC_READONLY) ; + $(TWBIN)/twprint -> $(SEC_READONLY) ; +} + +# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases +( + rulename = "Tripwire Data Files", severity=100 +) +{ + # NOTE: We remove the inode attribute because when Tripwire creates a backup, + # it does so by renaming the old file and creating a new one (which will + # have a new inode number). Inode is left turned on for keys, which shouldn't + # ever change. + + # NOTE: The first integrity check triggers this rule and each integrity check + # afterward triggers this rule until a database update is run, since the + # database file does not exist before that point. + + $(TWDB) -> $(SEC_DYNAMIC) -i ; + $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ; + $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ; + # $(TWLKEY)/local.key -> $(SEC_READONLY) ; + $(TWSKEY)/site.key -> $(SEC_READONLY) ; + + # don't scan the individual reports + $(TWREPORT) -> $(SEC_DYNAMIC)(recurse=0) ; + + +} + + ################################################ + # ## +################################################ # +# # # +# OS Boot and Configuration Files # # +# ## +################################################ +( + rulename = "OS Boot and Configuration Files", severity=100 +) +{ + #/mach.sym -> $(SEC_READONLY)-im ; + /mach_kernel -> $(SEC_READONLY) ; + /private/etc -> $(SEC_READONLY)-m ; + + #/private/etc/appletalk.cfg -> $(SEC_READONLY)-im ; + #/private/etc/appletalk.nvram.en0 -> $(SEC_DYNAMIC) ; + /private/etc/cups/certs -> $(SEC_DYNAMIC) -i(recurse=0) ; + #/private/etc/smb.conf -> $(SEC_READONLY)-im ; + + /Library -> $(SEC_READONLY) ; + /System -> $(SEC_READONLY) ; + + /Library/Printers -> $(SEC_READONLY)(recurse=2) ; + /Library/Documentation -> $(SEC_READONLY)(recurse=2) ; + /Library/Filesystems -> $(SEC_DYNAMIC)-i ; + /Library/"Application Support" -> $(SEC_DYNAMIC)-im(recurse=2) ; + + /System/Library/Filesystems -> $(SEC_DYNAMIC)-i ; + /System/Library/CoreServices -> $(SEC_READONLY)-im ; + /System/Library/Filesystems/hfs.fs -> $(SEC_DYNAMIC)(recurse=0) ; + +} + + ################################################### + # ## +################################################### # +# # # +# Mount Points # # +# ## +################################################### +( + rulename = "Mount Points", severity=60 +) +{ + / -> $(SEC_READONLY)(recurse=0) ; + /Volumes -> $(SEC_READONLY)-M (recurse=0) ; + /usr -> $(SEC_READONLY)(recurse=0) ; + +} + + + ################################################ + # ## +################################################ # +# # # +# System Devices # # +# ## +################################################ +( + rulename = "System Devices", severity=60 +) +{ + /dev -> $(SEC_DEVICE)(recurse=0) ; +} + + ################################################ + # ## +################################################ # +# # # +# OS Binaries and Libraries # # +# ## +################################################ +( + rulename = "OS Binaries and Libraries", severity=100 +) +{ + /bin -> $(SEC_READONLY) ; + /sbin -> $(SEC_READONLY) ; + /usr/bin -> $(SEC_READONLY) ; + /usr/lib -> $(SEC_READONLY) ; + /usr/libexec -> $(SEC_READONLY) ; + /usr/sbin -> $(SEC_READONLY) ; + /usr/X11 -> $(SEC_READONLY)(recurse=2) ; # May not be present + #/usr/X11/man -> $(SEC_DYNAMIC)-i(recurse=1) ; # May not be present + /usr/share -> $(SEC_READONLY) ; + /usr/share/man -> $(SEC_DYNAMIC)-i(recurse=1) ; + +} + + + ################################################ + # ## +################################################ # +# # # +# OS X Applications # # +# ## +################################################ +( + rulename = "OS Binaries and Libraries", severity=100 +) +{ + /Applications -> $(SEC_READONLY)-im(recurse=2) ; +} + + ################################################ + # ## +################################################ # +# # # +# Usr Local Files # # +# ## +################################################ +( + rulename = "Usr Local Files", severity=60 +) +{ + /usr/local -> $(SEC_READONLY) ; + /usr/local/sbin -> $(SEC_READONLY) ; + /usr/local/bin -> $(SEC_READONLY) ; + /usr/local/include -> $(SEC_READONLY) ; + /usr/local/opt -> $(SEC_READONLY) ; + /usr/local/libexec -> $(SEC_READONLY) ; + /usr/local/lib -> $(SEC_READONLY) ; + /usr/local/etc -> $(SEC_READONLY) ; + /usr/local/share -> $(SEC_READONLY) ; + /usr/local/man -> $(SEC_READONLY) ; + /usr/local/Frameworks -> $(SEC_READONLY) ; + # Homebrew + /usr/local/.git -> $(SEC_READONLY) ; + /usr/local/Cellar -> $(SEC_READONLY) ; +} + + + ################################################ + # ## +################################################ # +# # # +# Temporary Files and Directories # # +# ## +################################################ +( + rulename = "Variable System Files", severity=60 +) +{ + /private/tmp -> $(SEC_DYNAMIC)-in(recurse=0) ; + + /private/tftpboot -> $(SEC_READONLY)-i ; + + /private/var -> $(SEC_READONLY)-i ; + /private/var/backups -> $(SEC_READONLY)-imc(severity=100) ; + #/private/var/backups/local.nidump -> $(SEC_DYNAMIC) -i(severity=100) ; + #/private/var/cron -> $(SEC_DYNAMIC) -i ; + /private/var/db -> $(SEC_READONLY)-im ; + /private/var/db/BootCache.playlist -> $(SEC_DYNAMIC) -i ; + #/private/var/db/netinfo/local.nidb/Store.384 -> $(SEC_READONLY)-imc(severity=100) ; + #/private/var/db/netinfo/local.nidb/Store.672 -> $(SEC_READONLY)-imc(severity=100) ; + #/private/var/db/prebindOnDemandBadFiles -> $(SEC_DYNAMIC) -i ; + /private/var/log -> $(SEC_DYNAMIC) -i ; + #/private/var/mail -> $(SEC_DYNAMIC) ; + /private/var/msgs/bounds -> $(SEC_READONLY)-smbCM ; + /private/var/root/Library/Caches -> $(SEC_DYNAMIC) -i ; + /private/var/run -> $(SEC_DYNAMIC) -i(rulename="Running Services") ; + #/private/var/slp.regfile -> $(SEC_READONLY)-im ; + #/private/var/spool/clientmqueue -> $(SEC_DYNAMIC)(recurse=0) ; + /private/var/spool/mqueue -> $(SEC_DYNAMIC)(recurse=0) ; + #/private/var/spool/lock -> $(SEC_DYNAMIC) -i(recurse=1) ; + /private/var/spool/cups -> $(SEC_DYNAMIC) -i(recurse=0) ; + /private/var/tmp -> $(SEC_DYNAMIC) -i(recurse=0) ; + /private/var/vm -> $(SEC_DYNAMIC)(recurse=0) ; + + /Library/Caches -> $(SEC_DYNAMIC) -i ; + /Library/Logs -> $(SEC_DYNAMIC) -i(recurse=1) ; + /Library/Preferences -> $(SEC_DYNAMIC) -i(recurse=1) ; + "/Library/Internet Plug-Ins" -> $(SEC_DYNAMIC) -i ; + + !/private/var/db/dhcpclient ; + !/private/var/db/dhcpd_leases ; + !/private/var/db/locate.database ; + !/private/var/db/SystemEntropyCache ; + !/private/var/db/mds/messages/se_SecurityMessages ; + !/private/var/db/samba/secrets.tdb ; + !/private/var/db/ntp.drift ; + !/private/var/folders ; + !/private/var/vm/sleepimage ; + !/private/var/vm/swap0 ; + !/private/var/vm/swap[1-9][0-9]* ; + # Sophos + !/Library/Caches/com.sophos.sau ; + !/Library/Caches/com.sophos.sxld ; +} + + + ################################################### + # ## +################################################### # +# # # +# User Home Directories # # +# ## +################################################### +( + rulename = "Home Directories", severity=60 +) +{ + /Users -> $(SEC_READONLY)(recurse=0) ; # Modify as needed + + +##### +# +# USER1 as defined at top of policy +# +##### + +# /Users/$(USER1) -> $(SEC_READONLY)-mc ; +# /Users/$(USER1)/Library/Preferences -> $(SEC_DYNAMIC)-i ; +# "/Users/$(USER1)/Library/Recent Servers" -> $(SEC_DYNAMIC)-i ; +# "/Users/$(USER1)/Library/Safari" -> $(SEC_DYNAMIC)-i(recurse=3) ; +# "/Users/$(USER1)/Library/Spelling" -> $(SEC_DYNAMIC)-i ; +# "/Users/$(USER1)/Library/Mail" -> $(SEC_DYNAMIC)-i(recurse=2) ; +# "/Users/$(USER1)/Pictures/iPhoto Library" -> $(SEC_DYNAMIC)-i(recurse=1) ; +# "/Users/$(USER1)/Library/Application Support" -> $(SEC_DYNAMIC)-im(recurse=2) ; +# /Users/$(USER1)/Documents -> $(SEC_DYNAMIC)(recurse=0) ; +# /Users/$(USER1)/Desktop -> $(SEC_DYNAMIC)(recurse=0) ; + + +#!"/Users/$(USER1)/Documents/Virtual PC List" ; # These items are *huge*, and are of little value to scan. +#!"/Users/$(USER1)/Library/Preferences/Microsoft/Clipboard" ; +#!"/Users/$(USER1)/Library/Safari/Icons" ; +#!"/Users/$(USER1)/Music/iTunes" ; +#!"/Users/$(USER1)/Library/Caches" ; +#!"/Users/$(USER1)/Library/Cookies" ; +#!"/Users/$(USER1)/Library/Logs" ; +#!"/Users/$(USER1)/Library/Folding@home" ; +#!"/Users/$(USER1)/setiathome" ; +#!"/Users/$(USER1)/Documents/seti-A" ; +#!"/Users/$(USER1)/Documents/seti-B" ; +#!"/Users/$(USER1)/.tcsh_history" ; +#!"/Users/$(USER1)/.DS_Store" ; +#!"/Users/$(USER1)/Public/.DS_Store" ; +#!"/Users/$(USER1)/.jpi_cache" ; +#!"/Users/$(USER1)/.lpoptions" ; +#!"/Users/$(USER1)/.Trash" ; +} diff --git a/contrib/tripwire_accept_new_baseline b/contrib/tripwire_accept_new_baseline new file mode 100755 index 0000000..6699ccb --- /dev/null +++ b/contrib/tripwire_accept_new_baseline @@ -0,0 +1,6 @@ +#!/bin/sh +TIMESTAMP=$(/bin/date +%Y-%m-%dT%H:%M:%S%z) +REPORT="$(find TRIPWIRE_ROOT/lib/tripwire/report -type f | tail -1)" +read -p "Accept $REPORT ? [accept] " PROMPT +test "$PROMPT" != 'accept' && exit 1 +time TRIPWIRE_ROOT/sbin/tripwire -m u -a -r "$REPORT" 2>&1 | tee TRIPWIRE_LOG_DIR/tripwire_database-updated-baseline_$TIMESTAMP.log diff --git a/contrib/tripwire_check b/contrib/tripwire_check new file mode 100755 index 0000000..1c5cba8 --- /dev/null +++ b/contrib/tripwire_check @@ -0,0 +1,23 @@ +#!/bin/sh +# +# Tripwire cron script borrowed from Linux and modified for generic situations. +# You should of course change path names to suit your environment. +# +# Contributed by Timothy K Ewing +# +HOST_NAME=`uname -n` +TWCFG_PATH=TRIPWIRE_ETC_DIR +TWDB_PATH=TRIPWIRE_DB_DIR +TWROOT_PATH=TRIPWIRE_ROOT +MAILTO="root" # Email addresses that should recieve reports + +# +# Define checks which alert user to misconfiguration or run the check +# +if [ ! -e ${TWDB_PATH}/${HOST_NAME}.twd ]; then + echo "**** Error: Tripwire database for ${HOST_NAME} not found. ****" + echo "**** Verify tripwire was installed and/or "tripwire --init". ****" +else + test -f ${TWCFG_PATH}/tw.cfg && ${TWROOT_PATH}/tripwire --check | \ + mail -s "${HOST_NAME} tripwire-check" ${MAILTO} +fi diff --git a/contrib/tripwire_log_rotate b/contrib/tripwire_log_rotate new file mode 100755 index 0000000..5da8b62 --- /dev/null +++ b/contrib/tripwire_log_rotate @@ -0,0 +1,50 @@ +#!/bin/sh -e + +RM='rm -f' +#RM='echo rm -f' + +LOG_START="$1" +LOG_EXT="$2" + +NOW="$(/bin/date +%Y%m%d)" +NOW_YEAR="$(echo $NOW | cut -c-4)" +NOW_MONTH="$(echo $NOW | cut -c5-6)" +NOW_DAY="$(echo $NOW | cut -c7-8)" + +LOG_START_LEN="$(echo $LOG_START | wc -c | awk '{print$1}')" + +YEARS="$(ls $LOG_START*$LOG_EXT | cut -c$LOG_START_LEN-$[LOG_START_LEN+3] | sort -u)" + +for YEAR in $YEARS; do + if [ "$YEAR" = "$NOW_YEAR" ]; then + # only keep one per day + for MONTH in `seq -f "%02g" 12`; do + for DAY in `seq -f "%02g" 31`; do + if [ "$NOW_MONTH" = "$MONTH" ] && [ "$NOW_DAY" = "$DAY" ]; then + # if now is today, dont prune anything + :; + else + # save only the first report per day + FILES="$(ls -rt ${LOG_START}${YEAR}-${MONTH}-${DAY}T*${LOG_EXT} 2>/dev/null | tail -n +2)" + #FILES="$(ls -rt ${LOG_START}${YEAR}-${MONTH}-${DAY}T*${LOG_EXT} | tail -n +2)" + if [ -n "$FILES" ]; then + set -x + $RM $FILES + set +x + fi + fi + done # DAY + done # MONTH + else # not current year + # only keep one per month + for MONTH in `seq -f "%02g" 12`; do + FILES="$(ls -rt ${LOG_START}${YEAR}-${MONTH}-*${LOG_EXT} 2>/dev/null | tail -n +2)" + #FILES="$(ls -rt ${LOG_START}${YEAR}-${MONTH}-*${LOG_EXT} | tail -n +2)" + if [ -n "$FILES" ]; then + set -x + $RM $FILES + set +x + fi + done # MONTH + fi +done # YEAR diff --git a/contrib/tripwire_periodic_check b/contrib/tripwire_periodic_check new file mode 100755 index 0000000..5add62c --- /dev/null +++ b/contrib/tripwire_periodic_check @@ -0,0 +1,18 @@ +#!/bin/sh + +on_battery_power() { + case `uname` in + Darwin) pmset -g batt | grep -q discharging + *) false + esac +} + +if on_battery_power; then + echo "Skipping tripwire check due to computer being on battery power" >&2 + exit 1 +fi +TIMESTAMP=$(/bin/date +%Y-%m-%dT%H:%M:%S%z) +time TRIPWIRE_ROOT/sbin/tripwire -m c 2>&1 | tee TRIPWIRE_LOG_DIR/tripwire_periodic_$TIMESTAMP.log +TRIPWIRE_ROOT/sbin/tripwire_log_rotate "TRIPWIRE_LOG_DIR/tripwire_periodic_" ".log" + +## Todo: Automatically groom reports in `TRIPWIRE_DB_DIR/report/*.twr` diff --git a/contrib/tripwire_set_site_and_local_passphrases b/contrib/tripwire_set_site_and_local_passphrases new file mode 100755 index 0000000..569df89 --- /dev/null +++ b/contrib/tripwire_set_site_and_local_passphrases @@ -0,0 +1,3 @@ +#!/bin/sh +# creates TRIPWIRE_ROOT/etc/site.key and TRIPWIRE_ROOT/etc/(hostname)-local.key +TRIPWIRE_ROOT/sbin/twadmin --generate-keys --local-keyfile TRIPWIRE_ROOT/etc/$(hostname -f)-local.key --site-keyfile TRIPWIRE_ROOT/etc/site.key diff --git a/contrib/tripwire_uninstall b/contrib/tripwire_uninstall new file mode 100755 index 0000000..4152809 --- /dev/null +++ b/contrib/tripwire_uninstall @@ -0,0 +1,152 @@ +#!/bin/sh +set -e + +unset NO_CONFIRM +unset NO_REMOVE +unset REMOVE_REPORTS +unset REMOVE_LOGS +unset REMOVE_DB +unset REMOVE_KEYS +unset RM + +UNAME=`uname` + +help() { + cat >&2 << 'HELP' + + tripwire_uninstall [-y] [-N] [ [-R] [-L] [-D] [-K] | [-A] ] + + -y no confirmation (unattended operation) + -N dont remove binaries, docs and man pages + -A remove everything (logs, reports, db and keys) + -R remove reports + -L remove logs + -D remove db + -K remove keys + + -N with -Y is valid + + +HELP +} + +while [ "$#" != 0 ]; do + case "$1" in + -y) NO_CONFIRM=1 ;; + -N) NO_REMOVE=1 ;; + -L) REMOVE_LOGS=1 ;; + -D) REMOVE_DB=1 ;; + -K) REMOVE_KEYS=1 ;; + -A) REMOVE_LOGS=1 + REMOVE_KEYS=1 + REMOVE_DB=1 + ;; + *) help ; exit 1 + esac + shift +done + +secure_rm() { +case $UNAME in + Darwin) + /usr/bin/srm -vf -- "$@" + ;; + Linux) + /usr/bin/shred -vfu -- "$@" + ;; + FreeBSD|*) + # 3x wipe + for FILE in "$@"; do + /bin/dd if=/dev/random of="$FILE" bs=1 count=$(/usr/bin/wc -c < "$FILE" | /usr/bin/sed "s/[^0-9]//g") + /bin/dd if=/dev/random of="$FILE" bs=1 count=$(/usr/bin/wc -c < "$FILE" | /usr/bin/sed "s/[^0-9]//g") + /bin/dd if=/dev/random of="$FILE" bs=1 count=$(/usr/bin/wc -c < "$FILE" | /usr/bin/sed "s/[^0-9]//g") + done + rm -vf "$@" + ;; +esac +} + +secure_rm_rf() { +case $UNAME in + Darwin) + /usr/bin/srm -vrf -- "$@" + ;; + Linux) + /usr/bin/find "$@" -type f -exec /usr/bin/shred -vfu -- {} \; + rm -vrf "$@" + ;; + FreeBSD|*) + # 3x wipe + /usr/bin/find "$@" -type f | xargs -I% sh -c '/bin/dd if=/dev/random of="%" bs=1 count=$(/usr/bin/wc -c < "%" | /usr/bin/sed "s/[^0-9]//g")' + /usr/bin/find "$@" -type f | xargs -I% sh -c '/bin/dd if=/dev/random of="%" bs=1 count=$(/usr/bin/wc -c < "%" | /usr/bin/sed "s/[^0-9]//g")' + /usr/bin/find "$@" -type f | xargs -I% sh -c '/bin/dd if=/dev/random of="%" bs=1 count=$(/usr/bin/wc -c < "%" | /usr/bin/sed "s/[^0-9]//g")' + rm -vrf "$@" + ;; +esac +} + + +if [ -n "$NO_CONFIRM" ]; then + :; # noop +else + printf "Uninstall tripwire ? [Yn] " + + unset PROMPT + read PROMPT + + if [ "$PROMPT" = 'y' ] || [ "$PROMPT" = 'Y' ]; then + :; # noop + else + echo "user cancelled" >&2 + exit 1 + fi +fi + +if [ -z "$NO_REMOVE" ]; then + echo "removing tripwire binaries, scripts, docs and man pages" >&2 + + # binaries + secure_rm "TRIPWIRE_ROOT/sbin/siggen" + secure_rm "TRIPWIRE_ROOT/sbin/tripwire" + secure_rm "TRIPWIRE_ROOT/sbin/twadmin" + secure_rm "TRIPWIRE_ROOT/sbin/twprint" + + # scripts + secure_rm "TRIPWIRE_ROOT/sbin/tripwire_"* + + # docs + secure_rm_rf "TRIPWIRE_ROOT/doc/tripwire" + + # man pages + secure_rm "TRIPWIRE_ROOT/share/man/man4/twconfig.4" + secure_rm "TRIPWIRE_ROOT/share/man/man4/twpolicy.4" + secure_rm "TRIPWIRE_ROOT/share/man/man5/twfiles.5" + secure_rm "TRIPWIRE_ROOT/share/man/man8/siggen.8" + secure_rm "TRIPWIRE_ROOT/share/man/man8/tripwire.8" + secure_rm "TRIPWIRE_ROOT/share/man/man8/twadmin.8" + secure_rm "TRIPWIRE_ROOT/share/man/man8/twintro.8" + secure_rm "TRIPWIRE_ROOT/share/man/man8/twprint.8" +fi + + +if [ -n "$REMOVE_REPORTS" ]; then + echo "removing tripwire reports" >&2 + secure_rm "TRIPWIRE_ROOT/lib/tripwire/report"/*.twr +fi + +if [ -n "$REMOVE_LOGS" ]; then + echo "removing tripwire logs" >&2 + secure_rm "TRIPWIRE_LOG_DIR/tripwire_periodic_"*.log +fi + +if [ -n "$REMOVE_DB" ]; then + echo "removing tripwire db" >&2 + secure_rm "TRIPWIRE_ROOT/lib/tripwire"/*.twd* +fi + +if [ -n "$REMOVE_KEYS" ]; then + echo "removing tripwire keys" >&2 + secure_rm "TRIPWIRE_ROOT/etc"/*.key +fi + +echo "finished removing tripwire" >&2 diff --git a/contrib/tripwire_update_config_file b/contrib/tripwire_update_config_file new file mode 100755 index 0000000..c736bab --- /dev/null +++ b/contrib/tripwire_update_config_file @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Overwrites TRIPWIRE_ROOT/etc/tw.cfg +# TRIPWIRE_ROOT/etc/twcfg.txt -> TRIPWIRE_ROOT/etc/tw.cfg +# +set -e + +if [ ! -e "TRIPWIRE_ROOT/etc/site.key" ]; then + echo "Missing TRIPWIRE_ROOT/etc/site.key" >&2 + echo >&2 + echo "Run TRIPWIRE_ROOT/sbin/tripwire_set_site_and_local_passphrases first" >&2 + exit 1 +fi + +if [ ! -e "TRIPWIRE_ROOT/etc/twcfg.txt" ]; then + echo "Missing TRIPWIRE_ROOT/etc/twcfg.txt" >&2 + echo >&2 + echo "Create and customize it for your environment and try again" >&2 + exit 1 +fi + +TRIPWIRE_ROOT/sbin/twadmin --create-cfgfile -S TRIPWIRE_ROOT/etc/site.key TRIPWIRE_ROOT/etc/twcfg.txt diff --git a/contrib/tripwire_update_policy_file b/contrib/tripwire_update_policy_file new file mode 100755 index 0000000..332eb40 --- /dev/null +++ b/contrib/tripwire_update_policy_file @@ -0,0 +1,29 @@ +#!/bin/sh +# +# Overwrites TRIPWIRE_ROOT/etc/tw.pol +# TRIPWIRE_ROOT/etc/twpol.txt -> TRIPWIRE_ROOT/etc/tw.pol +# +set -e + +if [ ! -e "TRIPWIRE_ROOT/etc/site.key" ]; then + echo "Missing TRIPWIRE_ROOT/etc/site.key" >&2 + echo >&2 + echo "Run TRIPWIRE_ROOT/sbin/tripwire_set_site_and_local_passphrases first" >&2 + exit 1 +fi + +if [ ! -e "TRIPWIRE_ROOT/etc/tw.cfg" ]; then + echo "Missing TRIPWIRE_ROOT/etc/tw.cfg" >&2 + echo >&2 + echo "Run TRIPWIRE_ROOT/sbin/tripwire_update_config_file first" >& + exit 1 +fi + +if [ ! -e "TRIPWIRE_ROOT/etc/twpol.txt" ]; then + echo "Missing TRIPWIRE_ROOT/etc/twpol.txt" >&2 + echo >&2 + echo "Create and customize it for your environment and try again" >&2 + exit 1 +fi + +TRIPWIRE_ROOT/sbin/twadmin --create-polfile -S TRIPWIRE_ROOT/etc/site.key TRIPWIRE_ROOT/etc/twpol.txt