Set theme jekyll-theme-minimal

Merge pull request #34 from crdotson/patch-1
fix create policy command line
2019-03-16 12:30:30 -07:00 · 2018-11-29 23:31:25 -08:00 · 2018-11-29 12:29:02 -05:00 · 2018-04-25 00:15:22 -07:00 · 2018-04-24 15:08:55 -04:00 · 2018-03-30 23:05:50 -07:00
577 changed files with 39658 additions and 30582 deletions
--- a/.clang-format
+++ b/.clang-format
@ -0,0 +1,115 @@
 ---
 Language:        Cpp
 AccessModifierOffset: -4
 AlignAfterOpenBracket: Align
 AlignConsecutiveAssignments: true
 AlignConsecutiveDeclarations: true
 AlignEscapedNewlines: Left
 AlignOperands:   true
 AlignTrailingComments: true
 AllowAllParametersOfDeclarationOnNextLine: true
 AllowShortBlocksOnASingleLine: false
 AllowShortCaseLabelsOnASingleLine: false
 AllowShortFunctionsOnASingleLine: None
 AllowShortIfStatementsOnASingleLine: false
 AllowShortLoopsOnASingleLine: false
 AlwaysBreakAfterDefinitionReturnType: None
 AlwaysBreakAfterReturnType: None
 AlwaysBreakBeforeMultilineStrings: false
 AlwaysBreakTemplateDeclarations: false
 BinPackArguments: false
 BinPackParameters: false
 BraceWrapping:   
  AfterClass:      true
  AfterControlStatement: true
  AfterEnum:       true
  AfterFunction:   true
  AfterNamespace:  true
  AfterObjCDeclaration: true
  AfterStruct:     true
  AfterUnion:      true
  AfterExternBlock: true
  BeforeCatch:     true
  BeforeElse:      true
  IndentBraces:    false
  SplitEmptyFunction: true
  SplitEmptyRecord: true
  SplitEmptyNamespace: true
 BreakBeforeBinaryOperators: None
 BreakBeforeBraces: Custom
 BreakBeforeInheritanceComma: false
 BreakBeforeTernaryOperators: false
 BreakConstructorInitializersBeforeComma: false
 BreakConstructorInitializers: BeforeColon
 BreakAfterJavaFieldAnnotations: false
 BreakStringLiterals: true
 ColumnLimit:     120
 CommentPragmas:  '^ IWYU pragma:'
 CompactNamespaces: false
 ConstructorInitializerAllOnOneLineOrOnePerLine: true
 ConstructorInitializerIndentWidth: 4
 ContinuationIndentWidth: 4
 Cpp11BracedListStyle: true
 DerivePointerAlignment: false
 DisableFormat:   false
 ExperimentalAutoDetectBinPacking: false
 FixNamespaceComments: true
 ForEachMacros:   
  - foreach
  - Q_FOREACH
  - BOOST_FOREACH
 IncludeBlocks:   Preserve
 IncludeCategories: 
  - Regex:           '^"(llvm|llvm-c|clang|clang-c)/'
    Priority:        2
  - Regex:           '^(<|"(gtest|gmock|isl|json)/)'
    Priority:        3
  - Regex:           '.*'
    Priority:        1
 IncludeIsMainRegex: '(Test)?$'
 IndentCaseLabels: false
 IndentPPDirectives: AfterHash
 IndentWidth:     4
 IndentWrappedFunctionNames: false
 JavaScriptQuotes: Leave
 JavaScriptWrapImports: true
 KeepEmptyLinesAtTheStartOfBlocks: true
 MacroBlockBegin: ''
 MacroBlockEnd:   ''
 MaxEmptyLinesToKeep: 2
 NamespaceIndentation: None
 ObjCBlockIndentWidth: 2
 ObjCSpaceAfterProperty: false
 ObjCSpaceBeforeProtocolList: true
 PenaltyBreakAssignment: 2
 PenaltyBreakBeforeFirstCallParameter: 19
 PenaltyBreakComment: 300
 PenaltyBreakFirstLessLess: 120
 PenaltyBreakString: 1000
 PenaltyExcessCharacter: 1000000
 PenaltyReturnTypeOnItsOwnLine: 60
 PointerAlignment: Left
 RawStringFormats: 
  - Delimiter:       pb
    Language:        TextProto
    BasedOnStyle:    google
 ReflowComments:  false
 SortIncludes:    false
 SortUsingDeclarations: true
 SpaceAfterCStyleCast: false
 SpaceAfterTemplateKeyword: false
 SpaceBeforeAssignmentOperators: true
 SpaceBeforeParens: ControlStatements
 SpaceInEmptyParentheses: false
 SpacesBeforeTrailingComments: 1
 SpacesInAngles:  false
 SpacesInContainerLiterals: true
 SpacesInCStyleCastParentheses: false
 SpacesInParentheses: false
 SpacesInSquareBrackets: false
 Standard:        Auto
 TabWidth:        4
 UseTab:          Never
 ...
--- a/.gitignore
+++ b/.gitignore
@ -3,7 +3,6 @@ config.h
 config.h.in~
 config.log
 config.status
 compile
 autom4te.cache/
 bin/
 lib/
@ -12,6 +11,7 @@ src/tripwire/tripwire
 src/twadmin/twadmin
 src/twprint/twprint
 src/twtest/twtest
 src/test-harness/twtest
 **/Makefile
 **/*.o
 **/*.dylib
@ -20,6 +20,9 @@ src/twtest/twtest
 **/*.dll
 **/*.exe
 **/*~
 **/*#
 **/*.bak
 **/.DS_Store
 **/*.gcno
 **/*.gcda
 releases/
--- a/37
+++ b/37
@ -1,3 +1,39 @@
 2018-03-24 Brian Cox <bcox@tripwire.com>
 	* Update version to 2.4.3.7
 	* Provide a useful README.md (Github issue #17).
 	* Document return codes in man pages (Github issue #28).
 	* Update install script after testing on additional platforms.
 	* Provide default policies for more operating systems, and update some existing policies
 	* Usability tweaks to twtest.
 	* Fix email reporting on Syllable
 	* Update copyright dates to 2018
 	* Clean up code style with clang-format, & add a custom style that approximates existing OST usage.
 	* Add -t / --output-level option to print-db mode, for consistency w/ print-report mode.
 	* Add object list support to print-report mode, for consistency w/ print-db mode.
 2017-10-01 Brian Cox <bcox@tripwire.com>
 	* Update version to 2.4.3.6
 	* Fix & expand tests in Perl acceptance test framework
 	* Fix & expand twtest unit tests, & rework unit test mini-framework so they’re referenced by name, not some numeric ID, and list tests as “skipped" if they don’t make any test assertions.
 	* Add configure options to enable coverage, profiling, & use /dev/urandom as RNG (all off by default)
 	* Add a ‘list’ make target to list all make targets
 	* Remove dead code & add test coverage per gcov+lcov results
 	* Fix various memory issues pointed out by valgrind
 	* In examine-encryption mode, better reporting (& nonzero exit) if we can't find a keyfile for the examined file.
 	* More exception handling around individual objects & init/IC as a whole, since there have been occasional reports of uncaught exceptions during init or check, and so far haven’t been able to repro or figure out what circumstances it occurs under. (e.g. Github issue #25)
 	* Tweak install.sh so it can be run directly, not just thru 'make install' if you want. (Github issue #26)
 	* Improve native (non-Posixy) path handling on platforms that need it (DOS, AROS, RISC OS, Redox)
 	* New platforms:  MirOS BSD, Bitrig, LibertyBSD, RISC OS, Redox
 	* Add default policies for HP-UX & various BSDs
 2017-03-30 Brian Cox <bcox@tripwire.com>
 	* Bump version to 2.4.3.5
 	* Fix ‘install-strip’, ‘check’, ‘uninstall’, and ‘distcheck’ make targets.
 	* Fix GCC 7.0.x warnings; use std::unique_ptr instead of deprecated std::auto_ptr where available.
 	* Add ‘--disable-extrawarnings’ configure option, for old compilers that don’t support the ’-Wextra’ compile option.
 	* Clean up unit tests & enable disabled tests.
 	* Address more static analyzer warnings, including from CppCheck & Flawfinder
 2017-03-05 Brian Cox <bcox@tripwire.com>
 	* Bump version to 2.4.3.4
 	* Fix issue with printing level 2 reports, introduced by fixing a Clang static analyzer quibble in 2.4.3.3. Sigh.
@ -28,6 +64,7 @@
 	* Remove dead code & unused files.
 	* Optional RESOLVE_IDS_TO_NAMES option to disable uid/gid to name resolution, if needed.
 	* New --key-size option to twadmin --generate-keys, to generate 1024 (default) or 2048 bit El Gamal keys. 
 2016-04-20 Brian Cox <bcox@tripwire.com>
 	* Bump version to 2.4.3.1
 	* Revive old 'twtest' unit test suite (such as it is); move _t.cpp files into twtest dir.
--- a/Makefile.am
+++ b/Makefile.am
@ -3,7 +3,23 @@ SUBDIRS = man src
 EXTRA_DIST = COMMERCIAL MAINTAINERS TRADEMARK LICENSE Packaging ReadMe-2.4.3 README.md autogen.sh autogen.sh.README touchconfig.sh contrib policy installer
 install-data-hook:
-	export INSTALL_STRIP_FLAG
+	INSTALL_STRIP_FLAG="$(INSTALL_STRIP_FLAG)" \
 	prefix="$(prefix)" sysconfdir="$(sysconfdir)" \
 	path_to_vi="$(path_to_vi)" path_to_sendmail="$(path_to_sendmail)" \
-        ./installer/install.sh
+	$(top_srcdir)/installer/install.sh
 uninstall-hook:
 	rm -f ${prefix}/sbin/tripwire $(prefix)/sbin/twadmin $(prefix)/sbin/twprint $(prefix)/sbin/siggen
 	rm -Rf $(prefix)/doc
 check:
 	rm -Rf $(top_srcdir)/src/test-harness/twtest
 	rm -Rf $(top_srcdir)/bin/TWTestData
 	cd $(top_srcdir)/src/test-harness && perl ./twtest.pl
 	cd $(top_srcdir)/bin && ./twtest all
 test: check
 .PHONY: targets
 targets:
 	@$(MAKE) -pRrq -f $(lastword $(MAKEFILE_LIST)) : 2>/dev/null | awk -v RS= -F: '/^# File/,/^# Finished Make data base/ {if ($$1 !~ "^[#.]") {print $$1}}' | sort | egrep -v -e '^[^[:alnum:]]' -e '^$@$$' | xargs
--- a/Makefile.in
+++ b/Makefile.in
@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
+# Makefile.in generated by automake 1.15.1 from Makefile.am.
 # @configure_input@
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+# Copyright (C) 1994-2017 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -307,7 +307,6 @@ pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
 runstatedir = @runstatedir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
@ -547,7 +546,7 @@ distdir: $(DISTFILES)
 	  ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \
 	|| chmod -R a+r "$(distdir)"
 dist-gzip: distdir
-	tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
+	tardir=$(distdir) && $(am__tar) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).tar.gz
 	$(am__post_remove_distdir)
 dist-bzip2: distdir
@ -573,7 +572,7 @@ dist-shar: distdir
 	@echo WARNING: "Support for shar distribution archives is" \
 	               "deprecated." >&2
 	@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
-	shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
+	shar $(distdir) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).shar.gz
 	$(am__post_remove_distdir)
 dist-zip: distdir
@ -591,7 +590,7 @@ dist dist-all:
 distcheck: dist
 	case '$(DIST_ARCHIVES)' in \
 	*.tar.gz*) \
-	  GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\
+	  eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).tar.gz | $(am__untar) ;;\
 	*.tar.bz2*) \
 	  bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
 	*.tar.lz*) \
@ -601,7 +600,7 @@ distcheck: dist
 	*.tar.Z*) \
 	  uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
 	*.shar.gz*) \
-	  GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\
+	  eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\
 	*.zip*) \
 	  unzip $(distdir).zip ;;\
 	esac
@ -774,9 +773,10 @@ ps: ps-recursive
 ps-am:
 uninstall-am:
-
+	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 .MAKE: $(am__recursive_targets) all install-am install-data-am \
-	install-strip
+	install-strip uninstall-am
 .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \
 	am--refresh check check-am clean clean-cscope clean-generic \
@ -792,16 +792,32 @@ uninstall-am:
 	install-strip installcheck installcheck-am installdirs \
 	installdirs-am maintainer-clean maintainer-clean-generic \
 	mostlyclean mostlyclean-generic pdf pdf-am ps ps-am tags \
-	tags-am uninstall uninstall-am
+	tags-am uninstall uninstall-am uninstall-hook
 .PRECIOUS: Makefile
 install-data-hook:
-	export INSTALL_STRIP_FLAG
+	INSTALL_STRIP_FLAG="$(INSTALL_STRIP_FLAG)" \
 	prefix="$(prefix)" sysconfdir="$(sysconfdir)" \
 	path_to_vi="$(path_to_vi)" path_to_sendmail="$(path_to_sendmail)" \
-        ./installer/install.sh
+	$(top_srcdir)/installer/install.sh
 uninstall-hook:
 	rm -f ${prefix}/sbin/tripwire $(prefix)/sbin/twadmin $(prefix)/sbin/twprint $(prefix)/sbin/siggen
 	rm -Rf $(prefix)/doc
 check:
 	rm -Rf $(top_srcdir)/src/test-harness/twtest
 	rm -Rf $(top_srcdir)/bin/TWTestData
 	cd $(top_srcdir)/src/test-harness && perl ./twtest.pl
 	cd $(top_srcdir)/bin && ./twtest all
 test: check
 .PHONY: targets
 targets:
 	@$(MAKE) -pRrq -f $(lastword $(MAKEFILE_LIST)) : 2>/dev/null | awk -v RS= -F: '/^# File/,/^# Finished Make data base/ {if ($$1 !~ "^[#.]") {print $$1}}' | sort | egrep -v -e '^[^[:alnum:]]' -e '^$@$$' | xargs
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
--- a/18
+++ b/18
@ -9,10 +9,6 @@ Packaging for Open Source Tripwire is maintained by various third parties:
 * Debian: https://tracker.debian.org/pkg/tripwire
 * Gentoo: https://packages.gentoo.org/packages/app-admin/tripwire
    Gentoo also has an SELinux policy for OST:
    https://packages.gentoo.org/packages/sec-policy/selinux-tripwire
 * Chef cookbook: https://github.com/rackspace-cookbooks/rackspace_tripwire
 * FreeBSD Ports: http://svnweb.freebsd.org/ports/head/security/tripwire/
@ -23,5 +19,19 @@ Packaging for Open Source Tripwire is maintained by various third parties:
 * NetBSD pkgsrc: http://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/security/tripwire/README.html
    NOTE: At present (April 2016) pkgsrc only provides the obsolete Tripwire 1.2, from the mid-1990s.
    That version lacks contemporary hash algorithms, and you probably don't want to use it.
    There's an unfinished pkgsrc port for OST 2.3+ here, if someone who understands pkgsrc
    is looking for a fun(?) project: http://pkgsrc.se/wip/tripwire2
 A few third party projects that might be useful with OST
 * Chef cookbook: https://github.com/rackspace-cookbooks/rackspace_tripwire
 * Puppet module: https://github.com/razorsedge/puppet-tripwire
 * SELinux policies from Tresys: https://github.com/TresysTechnology/refpolicy-contrib/blob/master/tripwire.te
   (and related .fc and .if files in the same repo)
 * A Gentoo SELinux policy, different from the one above: https://packages.gentoo.org/packages/sec-policy/selinux-tripwire
 * An experimental(?) Dockerfile for CentOS: https://hub.docker.com/r/prateeknischal/tripwire-play/
--- a/README.md
+++ b/README.md
@ -1,5 +1,179 @@
 # Open Source Tripwire<sup>®</sup>
-Open Source Tripwire<sup>®</sup> software is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems. The project is based on code originally contributed by [Tripwire, Inc.](http://www.tripwire.com) in 2000.
+Open Source Tripwire<sup>®</sup> is a security and data integrity tool for monitoring and alerting on file & directory changes. This project is based on code originally contributed by [Tripwire, Inc.](http://www.tripwire.com) in 2000.
-Open Source Tripwire is suitable for monitoring a small number of Linux servers, where centralized control and reporting is not needed and professional support or system automation is not a requirement. 
+## Overview
 A Tripwire check compares the current filesystem state against a known baseline state, and alerts on any changes it detects.  The baseline and check behavior are controlled by a policy file, which specifies which files or directories to monitor, and which attributes to monitor on them, such as hashes, file permissions, and ownership.
 When an expected change occurs, such as upgrading a package, the baseline database can be updated to the new known-good state.  The policy can also be updated, for example to reduce noise or cover a newly installed package.
 ## Getting Started
 This section covers manual setup of Open Source Tripwire.  If installing via an RPM or Debian package, or via **make install**, a setup script will walk the user through the initial setup steps (key generation thru policy creation) and these will not need to be done by hand.
 ### Generating Keys
 The first step is to generate site and local key files.  This is necessary because Tripwire policy, configuration, and database files are signed by default, and report files may also be signed.  The site key is used to sign config and policy files, while databases and reports are signed with the local key.  The idea here is that multiple machines can share a site key, but each will have its own local key.  The policy and config files can then be created once and distributed across these machines.
 A common practice is to include the hostname in the local key filename, as follows:
 ```
 ./twadmin --generate-keys -L /etc/tripwire/${HOSTNAME}-local.key
 ./twadmin --generate-keys -S /etc/tripwire/site.key
 ```
 ### Creating a configuration file
 The next step is to create a Tripwire config file.  The config file contains a variety of settings including the locations of Tripwire binaries and key files, email report settings, and parameters that control baseline/check behavior.  These settings are explained in detail in the **twconfig(4)** manual page.
 This command line reads and validates the config text in /path/to/twcfg.txt, writes the results to tw.cfg, and signs the resulting file with the provided site key:
 ```
 ./twadmin --create-cfgfile -S /path/to/site.key /path/to/twcfg.txt
 ```
 ### Generating a policy file
 Now it's time to configure which files & directories OST will monitor.  A few simple examples of policy rules:
 ```
 /start/point -> $(IgnoreNone); # Get all attributes for this dir tree
 /another/start -> +pinugS; # Get selected attributes for this dir tree
 !/start/point/subdir/to/ignore; # Don't monitor this dir tree
 ```
 The Tripwire policy language is documented in detail in the **twpolicy(4)** manual page, and default policies for most common operating systems are available in the OST project's policy subdirectory.
 ```
 ./twadmin --create-polfile -S /path/to/site.key /etc/tripwire/twpol.txt
 ```
 ### Creating a baseline
 The next step is to baseline the system for the first time.  This step is necessary even if the previous steps are handled by a setup/install script.
 ```
 ./tripwire --init
 ```
 This creates a database file in the configured directory, typically a file with a .twd extension in /var/lib/tripwire.  The optional **--verbose** argument to init mode lists files and directories as they're being scanned.
 ### Running a check
 ```
 ./tripwire --check
 ```
 This runs a check, again with an optional **--verbose** option that displays what it's doing.  Scan results are written to standard out, as well as a report file, which typically has a .twr extension and lives in /var/lib/tripwire/report.  If email reporting is enabled, emails will be sent at the end of the check.
 A common way to use OST is to set up a cron job to run checks periodically, emailing results to an administrative account.  Note that the OST install script currently does not create any cron jobs, and this will need to be done by hand.
 ### Printing a report
 ```
 ./twprint -m r -t [0-4] -r /path/to/reportfile.twr
 ```
 The -t argument specifies the level of report verbosity, where 0 is a single line summary of the report contents, and 4 displays all gathered attributes on all changed objects.  The report level defaults to 3 if not specified on the command line or via the REPORTLEVEL config file option.
 Databases can be also printed with:
 ```
 ./twprint -m d -d /path/to/database.twd
 ```
 ### Updating a database
 The simplest form of update updates the database with all the changes in a report file:
 ```
 ./tripwire --update --accept-all
 ```
 While a
 ```
 ./tripwire --update
 ```
 brings up a text report in the user's preferred editor (as configured in the config file's EDITOR option), with a checkbox next to each detected change.  After saving and exiting the editor, the database will only be updated for those objects that remain selected with an **[x]**.
 ### Updating a policy
 Policy update mode modifies the current Tripwire policy without losing existing baselines.
 ```
 ./tripwire --update-policy updated-policy.txt
 ```
 A check is run with the new policy as part of the update process.  If this check detects changes, the default behavior is to display the changes and exit without updating the policy or database.  To accept the changes and continue with the policy update, use the **-Z low** / **--secure-mode low** command line option.
 ### Testing the email configuration
 To test email configuration:
 ```
 ./tripwire --test --email user@domain.tld
 ```
 This sends a test email to the specified address, using the email settings specified in the config file.
 ## Building OST
 ### Prerequisites
 A C++ compiler.  It's known to build with gcc and clang; OST should work with gcc versions as old as 2.95.2, although gcc older than version 3.1 will need an external STLPort package.
 A POSIX-like operating system, including Linux, macOS, various BSDs, Solaris, AIX, HP-UX, Minix, Haiku, GNU/Hurd, and others.  Windows users can build OST under Cygwin, although this does not provide support for monitoring the Registry or any Windows-specific file attributes.
 Perl 5+ is needed to run the project's test suite.
 ### Configuring & Building
 OST uses a standard automake build, so the first configuration step will generally be:
 ```
 ./configure
 ```
 Additional compiler arguments (such as Debian hardening options), non-default paths, and other options can be set up in this step.  A ```./configure --help``` lists the available configuration options.
 The ```--prefix=/some/path``` option controls where a subsequent ```make install``` will install to, and where Tripwire binaries will look for a configuration file.
 The ```--enable-static``` option causes the build to create statically linked binaries.  This is often used as a security enhancement, so that Tripwire will not rely on the shared libraries on the machine.  This is not possible on all platforms, as some (like macOS and Solaris) don't provide the necessary static libraries to link against.
 Note that Linux systems that use NSS for name lookups will still employ shared libraries behind the scenes even when the OST binaries are statically linked.  There have been occasional reports of segfaults when trying to do a name lookup in these circumstances, particularly when the binary was built on a different machine or it's trying to do an LDAP or NIS name lookup.  If this occurs, there are two ways to work around it:  Either switch to dynamic binaries, or set the Tripwire config file option ```RESOLVE_IDS_TO_NAMES=false```, which tells OST to just watch numeric user & group IDs and not perform name lookups.
 If the configure or make step fails with errors about the automake/autoconf version, it may be necessary to run the script
 ```./touchconfig.sh```
 before building the project.  This script simply touches files in the correct order such that their last change times are not all identical, and that they're different in the right order.
 Then just
 ```make```
 to build the project.
 ## Running the test suites
 the ```make check``` make target runs two things:  The acceptance test suite in the src/test-harness directory, and unit tests by running twtest, which is built in the bin directory along with other Tripwire binaries.  These tests can also be run separately:
 ```./twtest``` runs all unit tests, while ```./twtest list``` lists all available tests.
 ```./twtest Groupname``` runs all tests in a group, and
 ```./twtest Groupname/Testname``` just runs the specified test.
 To run the acceptance tests manually, cd to the src/test-harness directory and run ```perl ./twtest.pl```.
 ## Deployment
 The ```make install``` target installs OST to the configured location, and ```make install-strip``` installs and removes symbols from the Tripwire binaries.  A ```make dist``` creates a gzipped source bundle.
 ## Authors
 * [Tripwire, Inc.](http://www.tripwire.com)
 ## License
 The developer of the original code and/or files is Tripwire, Inc.
 Portions created by Tripwire, Inc. are copyright 2000-2018 Tripwire, Inc.
 Tripwire is a registered trademark of Tripwire, Inc.  All rights reserved.
 This program is free software.  The contents of this file are subject to the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.  You may redistribute it and/or modify it only in compliance with the GNU General Public License.
 This program is distributed in the hope that it will be useful.  However,
 this program is distributed "AS-IS" WITHOUT ANY WARRANTY; INCLUDING THE
 IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 Please see the GNU General Public License for more details.
 You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc.,
 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 Nothing in the GNU General Public License or any other license to use the
 code or files shall permit you to use Tripwire's trademarks, service marks, or other intellectual property without Tripwire's prior written consent.
 If you have any questions, please contact Tripwire, Inc. at either
 info@tripwire.org or www.tripwire.org.
--- a/ReadMe-2.4.3
+++ b/ReadMe-2.4.3
@ -1,4 +1,14 @@
-What's new in Open Source Tripwire 2.4.3.2:
+What's new in Open Source Tripwire 2.4.3.x:
 * Useful ‘install-strip’, ‘check’, ‘uninstall’ & ‘distcheck’ make targets as of OST 2.4.3.5.  Check target invokes both the test-harness framework and twtest unit tests.
 * Verify OST builds without errors w/ GCC 7.0.x; fix new warnings from the new compiler, including deprecation warnings; use std::unique_ptr instead of std::auto_ptr where available.
 * Add ‘--disable-extrawarnings’ configure option, for old compilers that don’t support the ’-Wextra’ compile option.
 * Clean up unit tests, enable various disabled tests, make results more useful.
 * Additional cleanup due to static analysis tool results (CppCheck, Flawfinder, Clang analyzer).
 * OST now includes optional iconv support when configured with --enable-iconv.
 When enabled, binary database & report files store paths as UTF-16, making these files more
@ -29,11 +39,6 @@ specifying a build directory outside the source dir now works as expected.
 * Assorted platform tweaks:  Add DOS/FreeDOS + DJGPP as a new platform; support Cygwin
 //host/share/path syntax for UNC paths; passphrase & tempfile fixes for AROS.
 ======================================
 What was new in earlier 2.4.3 versions:
 * This update fixes compilation errors on modern compilers (GCC 4.7+ and LLVM/clang), 
 as well as some additional errors encountered on various platforms.  This is intended
 to supersede patches against 2.4.2.x, e.g. http://www.linuxfromscratch.org/blfs/view/svn/postlfs/tripwire.html
@ -66,15 +71,22 @@ defined incorrectly otherwise.
 The update has been tested on a variety of platforms: 
 Linuxes
 - CentOS 7 (amd64) + gcc 4.8.5
 - Ubuntu 14.0.4 (amd64) + gcc 4.x
 - RHEL 3.4 (Itanium) + gcc 3.4.3
 - Alpine Linux 3.3.3 + gcc 5.3.0
- Android 6.0 (arm) + gcc 4.9
+- Alpine Linux 3.5.1 + gcc 6.2.1
- Raspbian 7 (wheezy) (armv6l) + gcc 4.6.3
+- Arch Linux 232 + gcc 6.3.1
- openSuSE Tumbleweed (20160408) (i586) + gcc 5.3.1
+- Amazon Linux AMI 2016.09 + gcc 4.8.3
- RHEL 6.0 (powerpc64) + gcc 4.4.4
+- Android 6.0 (arm) + gcc 4.9 (NDK)
 - CentOS 7 (amd64) + gcc 4.8.5
 - Fedora 24 Alpha 7 (amd64) + gcc 6.0.0
 - Fedora 27 Rawhide (amd64) + gcc 7.0.1
 - Raspbian 7 (wheezy) (armv6l) + gcc 4.6.3
 - RHEL 3.4 (Itanium) + gcc 3.4.3
 - RHEL 6.0 (powerpc64) + gcc 4.4.4
 - openSuSE Tumbleweed (20160408) (i586) + gcc 5.3.1
 - Oracle Linux 6.8 + gcc 4.4.7
 - Ubuntu 14.0.4 (amd64) + gcc 4.x
 - Ubuntu 16.0.4 (amd64) + gcc 5.4.0
 - Wind River Pulsar Linux 8 + gcc 5.2.0
 OSX
 - Mac OS X 10.11 + LLVM 7.0.2 / clang-700.1.81
@ -90,7 +102,7 @@ BSDs
 UNIXes
 - Solaris 10 SPARC + gcc 3.4.6
 - Solaris 10 x86 + gcc 3.4.3
- OpenIndiana 151 + gcc 4.8.5 [an OpenSolaris/illumos distro]
+- OpenIndiana 151 + gcc 4.8.5
 - AIX 5.2 + gcc 4.3.1
 - HP-UX 11.23 + gcc 4.2.3
--- a/2
+++ b/2
@ -2,7 +2,7 @@ TRIPWIRE COPYRIGHT & TRADEMARK NOTICE
 COPYRIGHT
 The developer of the original code and/or files is Tripwire, Inc.  Portions
-created by Tripwire, Inc. are copyright 2000 Tripwire, Inc. 
+created by Tripwire, Inc. are copyright 2000-2018 Tripwire, Inc. 
 TRADEMARK
 Tripwire is a registered trademark (the "Trademark") of Tripwire, Inc.  All
--- a/_config.yml
+++ b/_config.yml
@ -0,0 +1 @@
 theme: jekyll-theme-minimal
--- a/aclocal.m4
+++ b/aclocal.m4
@ -1,6 +1,6 @@
-# generated automatically by aclocal 1.15 -*- Autoconf -*-
+# generated automatically by aclocal 1.15.1 -*- Autoconf -*-
-# Copyright (C) 1996-2014 Free Software Foundation, Inc.
+# Copyright (C) 1996-2017 Free Software Foundation, Inc.
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -20,7 +20,7 @@ You have another version of autoconf.  It may work, but is not guaranteed to.
 If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically 'autoreconf'.])])
-# Copyright (C) 2002-2014 Free Software Foundation, Inc.
+# Copyright (C) 2002-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -35,7 +35,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
 [am__api_version='1.15'
 dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
 dnl require some minimum version.  Point them to the right macro.
-m4_if([$1], [1.15], [],
+m4_if([$1], [1.15.1], [],
      [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
 ])
@ -51,14 +51,14 @@ m4_define([_AM_AUTOCONF_VERSION], [])
 # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
 # This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
 AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.15])dnl
+[AM_AUTOMAKE_VERSION([1.15.1])dnl
 m4_ifndef([AC_AUTOCONF_VERSION],
  [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
 _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
 # AM_AUX_DIR_EXPAND                                         -*- Autoconf -*-
-# Copyright (C) 2001-2014 Free Software Foundation, Inc.
+# Copyright (C) 2001-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -110,7 +110,7 @@ am_aux_dir=`cd "$ac_aux_dir" && pwd`
 # AM_CONDITIONAL                                            -*- Autoconf -*-
-# Copyright (C) 1997-2014 Free Software Foundation, Inc.
+# Copyright (C) 1997-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -141,7 +141,7 @@ AC_CONFIG_COMMANDS_PRE(
 Usually this means the macro was only invoked conditionally.]])
 fi])])
-# Copyright (C) 1999-2014 Free Software Foundation, Inc.
+# Copyright (C) 1999-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -332,7 +332,7 @@ _AM_SUBST_NOTMAKE([am__nodep])dnl
 # Generate code to set up dependency tracking.              -*- Autoconf -*-
-# Copyright (C) 1999-2014 Free Software Foundation, Inc.
+# Copyright (C) 1999-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -408,7 +408,7 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
 # Do all the work for Automake.                             -*- Autoconf -*-
-# Copyright (C) 1996-2014 Free Software Foundation, Inc.
+# Copyright (C) 1996-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -605,7 +605,7 @@ for _am_header in $config_headers :; do
 done
 echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count])
-# Copyright (C) 2001-2014 Free Software Foundation, Inc.
+# Copyright (C) 2001-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -626,7 +626,7 @@ if test x"${install_sh+set}" != xset; then
 fi
 AC_SUBST([install_sh])])
-# Copyright (C) 2003-2014 Free Software Foundation, Inc.
+# Copyright (C) 2003-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -647,7 +647,7 @@ AC_SUBST([am__leading_dot])])
 # Check to see how 'make' treats includes.	            -*- Autoconf -*-
-# Copyright (C) 2001-2014 Free Software Foundation, Inc.
+# Copyright (C) 2001-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -697,7 +697,7 @@ rm -f confinc confmf
 # Fake the existence of programs that GNU maintainers use.  -*- Autoconf -*-
-# Copyright (C) 1997-2014 Free Software Foundation, Inc.
+# Copyright (C) 1997-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -738,7 +738,7 @@ fi
 # Obsolete and "removed" macros, that must however still report explicit
 # error messages when used, to smooth transition.
 #
-# Copyright (C) 1996-2014 Free Software Foundation, Inc.
+# Copyright (C) 1996-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -765,7 +765,7 @@ AU_DEFUN([fp_C_PROTOTYPES], [AM_C_PROTOTYPES])
 # Helper functions for option handling.                     -*- Autoconf -*-
-# Copyright (C) 2001-2014 Free Software Foundation, Inc.
+# Copyright (C) 2001-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -794,7 +794,7 @@ AC_DEFUN([_AM_SET_OPTIONS],
 AC_DEFUN([_AM_IF_OPTION],
 [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
-# Copyright (C) 1999-2014 Free Software Foundation, Inc.
+# Copyright (C) 1999-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -841,7 +841,7 @@ AC_LANG_POP([C])])
 # For backward compatibility.
 AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])])
-# Copyright (C) 2001-2014 Free Software Foundation, Inc.
+# Copyright (C) 2001-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -860,7 +860,7 @@ AC_DEFUN([AM_RUN_LOG],
 # Check to make sure that the build environment is sane.    -*- Autoconf -*-
-# Copyright (C) 1996-2014 Free Software Foundation, Inc.
+# Copyright (C) 1996-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -941,7 +941,7 @@ AC_CONFIG_COMMANDS_PRE(
 rm -f conftest.file
 ])
-# Copyright (C) 2009-2014 Free Software Foundation, Inc.
+# Copyright (C) 2009-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -1001,7 +1001,7 @@ AC_SUBST([AM_BACKSLASH])dnl
 _AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl
 ])
-# Copyright (C) 2001-2014 Free Software Foundation, Inc.
+# Copyright (C) 2001-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -1029,7 +1029,7 @@ fi
 INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
 AC_SUBST([INSTALL_STRIP_PROGRAM])])
-# Copyright (C) 2006-2014 Free Software Foundation, Inc.
+# Copyright (C) 2006-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -1048,7 +1048,7 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
 # Check how to create a tarball.                            -*- Autoconf -*-
-# Copyright (C) 2004-2014 Free Software Foundation, Inc.
+# Copyright (C) 2004-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
--- a/348
+++ b/348
@ -0,0 +1,348 @@
 #! /bin/sh
 # Wrapper for compilers which do not understand '-c -o'.
 scriptversion=2016-01-11.22; # UTC
 # Copyright (C) 1999-2017 Free Software Foundation, Inc.
 # Written by Tom Tromey <tromey@cygnus.com>.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2, or (at your option)
 # any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
 # configuration script generated by Autoconf, you may include it under
 # the same distribution terms that you use for the rest of that program.
 # This file is maintained in Automake, please report
 # bugs to <bug-automake@gnu.org> or send patches to
 # <automake-patches@gnu.org>.
 nl='
 '
 # We need space, tab and new line, in precisely that order.  Quoting is
 # there to prevent tools from complaining about whitespace usage.
 IFS=" ""	$nl"
 file_conv=
 # func_file_conv build_file lazy
 # Convert a $build file to $host form and store it in $file
 # Currently only supports Windows hosts. If the determined conversion
 # type is listed in (the comma separated) LAZY, no conversion will
 # take place.
 func_file_conv ()
 {
  file=$1
  case $file in
    / | /[!/]*) # absolute file, and not a UNC file
      if test -z "$file_conv"; then
 	# lazily determine how to convert abs files
 	case `uname -s` in
 	  MINGW*)
 	    file_conv=mingw
 	    ;;
 	  CYGWIN*)
 	    file_conv=cygwin
 	    ;;
 	  *)
 	    file_conv=wine
 	    ;;
 	esac
      fi
      case $file_conv/,$2, in
 	*,$file_conv,*)
 	  ;;
 	mingw/*)
 	  file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
 	  ;;
 	cygwin/*)
 	  file=`cygpath -m "$file" || echo "$file"`
 	  ;;
 	wine/*)
 	  file=`winepath -w "$file" || echo "$file"`
 	  ;;
      esac
      ;;
  esac
 }
 # func_cl_dashL linkdir
 # Make cl look for libraries in LINKDIR
 func_cl_dashL ()
 {
  func_file_conv "$1"
  if test -z "$lib_path"; then
    lib_path=$file
  else
    lib_path="$lib_path;$file"
  fi
  linker_opts="$linker_opts -LIBPATH:$file"
 }
 # func_cl_dashl library
 # Do a library search-path lookup for cl
 func_cl_dashl ()
 {
  lib=$1
  found=no
  save_IFS=$IFS
  IFS=';'
  for dir in $lib_path $LIB
  do
    IFS=$save_IFS
    if $shared && test -f "$dir/$lib.dll.lib"; then
      found=yes
      lib=$dir/$lib.dll.lib
      break
    fi
    if test -f "$dir/$lib.lib"; then
      found=yes
      lib=$dir/$lib.lib
      break
    fi
    if test -f "$dir/lib$lib.a"; then
      found=yes
      lib=$dir/lib$lib.a
      break
    fi
  done
  IFS=$save_IFS
  if test "$found" != yes; then
    lib=$lib.lib
  fi
 }
 # func_cl_wrapper cl arg...
 # Adjust compile command to suit cl
 func_cl_wrapper ()
 {
  # Assume a capable shell
  lib_path=
  shared=:
  linker_opts=
  for arg
  do
    if test -n "$eat"; then
      eat=
    else
      case $1 in
 	-o)
 	  # configure might choose to run compile as 'compile cc -o foo foo.c'.
 	  eat=1
 	  case $2 in
 	    *.o | *.[oO][bB][jJ])
 	      func_file_conv "$2"
 	      set x "$@" -Fo"$file"
 	      shift
 	      ;;
 	    *)
 	      func_file_conv "$2"
 	      set x "$@" -Fe"$file"
 	      shift
 	      ;;
 	  esac
 	  ;;
 	-I)
 	  eat=1
 	  func_file_conv "$2" mingw
 	  set x "$@" -I"$file"
 	  shift
 	  ;;
 	-I*)
 	  func_file_conv "${1#-I}" mingw
 	  set x "$@" -I"$file"
 	  shift
 	  ;;
 	-l)
 	  eat=1
 	  func_cl_dashl "$2"
 	  set x "$@" "$lib"
 	  shift
 	  ;;
 	-l*)
 	  func_cl_dashl "${1#-l}"
 	  set x "$@" "$lib"
 	  shift
 	  ;;
 	-L)
 	  eat=1
 	  func_cl_dashL "$2"
 	  ;;
 	-L*)
 	  func_cl_dashL "${1#-L}"
 	  ;;
 	-static)
 	  shared=false
 	  ;;
 	-Wl,*)
 	  arg=${1#-Wl,}
 	  save_ifs="$IFS"; IFS=','
 	  for flag in $arg; do
 	    IFS="$save_ifs"
 	    linker_opts="$linker_opts $flag"
 	  done
 	  IFS="$save_ifs"
 	  ;;
 	-Xlinker)
 	  eat=1
 	  linker_opts="$linker_opts $2"
 	  ;;
 	-*)
 	  set x "$@" "$1"
 	  shift
 	  ;;
 	*.cc | *.CC | *.cxx | *.CXX | *.[cC]++)
 	  func_file_conv "$1"
 	  set x "$@" -Tp"$file"
 	  shift
 	  ;;
 	*.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO])
 	  func_file_conv "$1" mingw
 	  set x "$@" "$file"
 	  shift
 	  ;;
 	*)
 	  set x "$@" "$1"
 	  shift
 	  ;;
      esac
    fi
    shift
  done
  if test -n "$linker_opts"; then
    linker_opts="-link$linker_opts"
  fi
  exec "$@" $linker_opts
  exit 1
 }
 eat=
 case $1 in
  '')
     echo "$0: No command.  Try '$0 --help' for more information." 1>&2
     exit 1;
     ;;
  -h | --h*)
    cat <<\EOF
 Usage: compile [--help] [--version] PROGRAM [ARGS]
 Wrapper for compilers which do not understand '-c -o'.
 Remove '-o dest.o' from ARGS, run PROGRAM with the remaining
 arguments, and rename the output as expected.
 If you are trying to build a whole package this is not the
 right script to run: please start by reading the file 'INSTALL'.
 Report bugs to <bug-automake@gnu.org>.
 EOF
    exit $?
    ;;
  -v | --v*)
    echo "compile $scriptversion"
    exit $?
    ;;
  cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \
  icl | *[/\\]icl | icl.exe | *[/\\]icl.exe )
    func_cl_wrapper "$@"      # Doesn't return...
    ;;
 esac
 ofile=
 cfile=
 for arg
 do
  if test -n "$eat"; then
    eat=
  else
    case $1 in
      -o)
 	# configure might choose to run compile as 'compile cc -o foo foo.c'.
 	# So we strip '-o arg' only if arg is an object.
 	eat=1
 	case $2 in
 	  *.o | *.obj)
 	    ofile=$2
 	    ;;
 	  *)
 	    set x "$@" -o "$2"
 	    shift
 	    ;;
 	esac
 	;;
      *.c)
 	cfile=$1
 	set x "$@" "$1"
 	shift
 	;;
      *)
 	set x "$@" "$1"
 	shift
 	;;
    esac
  fi
  shift
 done
 if test -z "$ofile" || test -z "$cfile"; then
  # If no '-o' option was seen then we might have been invoked from a
  # pattern rule where we don't need one.  That is ok -- this is a
  # normal compilation that the losing compiler can handle.  If no
  # '.c' file was seen then we are probably linking.  That is also
  # ok.
  exec "$@"
 fi
 # Name of file we expect compiler to create.
 cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'`
 # Create the lock directory.
 # Note: use '[/\\:.-]' here to ensure that we don't use the same name
 # that we are using for the .o file.  Also, base the name on the expected
 # object file name, since that is what matters with a parallel build.
 lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d
 while true; do
  if mkdir "$lockdir" >/dev/null 2>&1; then
    break
  fi
  sleep 1
 done
 # FIXME: race condition here if user kills between mkdir and trap.
 trap "rmdir '$lockdir'; exit 1" 1 2 15
 # Run the compile.
 "$@"
 ret=$?
 if test -f "$cofile"; then
  test "$cofile" = "$ofile" || mv "$cofile" "$ofile"
 elif test -f "${cofile}bj"; then
  test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile"
 fi
 rmdir "$lockdir"
 exit $ret
 # Local Variables:
 # mode: shell-script
 # sh-indentation: 2
 # eval: (add-hook 'write-file-hooks 'time-stamp)
 # time-stamp-start: "scriptversion="
 # time-stamp-format: "%:y-%02m-%02d.%02H"
 # time-stamp-time-zone: "UTC0"
 # time-stamp-end: "; # UTC"
 # End:
--- a/config.guess
+++ b/config.guess
@ -1,8 +1,8 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
-#   Copyright 1992-2016 Free Software Foundation, Inc.
+#   Copyright 1992-2017 Free Software Foundation, Inc.
-timestamp='2016-02-11'
+timestamp='2017-09-16'
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@ -15,7 +15,7 @@ timestamp='2016-02-11'
 # General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, see <http://www.gnu.org/licenses/>.
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@ -27,7 +27,7 @@ timestamp='2016-02-11'
 # Originally written by Per Bothner; maintained since 2000 by Ben Elliston.
 #
 # You can get the latest version of this script from:
-# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
+# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
 #
 # Please send patches to <config-patches@gnu.org>.
@ -50,7 +50,7 @@ version="\
 GNU config.guess ($timestamp)
 Originally written by Per Bothner.
-Copyright 1992-2016 Free Software Foundation, Inc.
+Copyright 1992-2017 Free Software Foundation, Inc.
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -186,9 +186,12 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
 	esac
 	# The Operating System including object format, if it has switched
-	# to ELF recently, or will in the future.
+	# to ELF recently (or will in the future) and ABI.
 	case "${UNAME_MACHINE_ARCH}" in
-	    arm*|earm*|i386|m68k|ns32k|sh3*|sparc|vax)
+	    earm*)
 		os=netbsdelf
 		;;
 	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
 		eval $set_cc_for_build
 		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
 			| grep -q __ELF__
@ -256,6 +259,9 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
    *:Sortix:*:*)
 	echo ${UNAME_MACHINE}-unknown-sortix
 	exit ;;
    *:Redox:*:*)
 	echo ${UNAME_MACHINE}-unknown-redox
 	exit ;;
    alpha:OSF1:*:*)
 	case $UNAME_RELEASE in
 	*4.0)
@ -312,15 +318,6 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	exitcode=$?
 	trap '' 0
 	exit $exitcode ;;
    Alpha\ *:Windows_NT*:*)
 	# How do we know it's Interix rather than the generic POSIX subsystem?
 	# Should we change UNAME_MACHINE based on the output of uname instead
 	# of the specific Alpha model?
 	echo alpha-pc-interix
 	exit ;;
    21064:Windows_NT:50:3)
 	echo alpha-dec-winnt3.5
 	exit ;;
    Amiga*:UNIX_System_V:4.0:*)
 	echo m68k-unknown-sysv4
 	exit ;;
@ -386,7 +383,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	# This test works for both compilers.
 	if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
 	    if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
-		(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
+		(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
 		grep IS_64BIT_ARCH >/dev/null
 	    then
 		SUN_ARCH=x86_64
@ -684,7 +681,7 @@ EOF
 		    exit (0);
 		}
 EOF
-		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+		    (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
 		    test -z "$HP_ARCH" && HP_ARCH=hppa
 		fi ;;
 	esac
@ -701,7 +698,7 @@ EOF
 	    # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
 	    # => hppa64-hp-hpux11.23
-	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
+	    if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) |
 		grep -q __LP64__
 	    then
 		HP_ARCH=hppa2.0w
@ -834,10 +831,11 @@ EOF
 	UNAME_PROCESSOR=`/usr/bin/uname -p`
 	case ${UNAME_PROCESSOR} in
 	    amd64)
-		echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+		UNAME_PROCESSOR=x86_64 ;;
-	    *)
+	    i386)
-		echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+		UNAME_PROCESSOR=i586 ;;
 	esac
 	echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
 	exit ;;
    *:MidnightBSD:*:*)
 	UNAME_PROCESSOR=`/usr/bin/uname -p`
@ -860,10 +858,6 @@ EOF
    *:MSYS*:*)
 	echo ${UNAME_MACHINE}-pc-msys
 	exit ;;
    i*:windows32*:*)
 	# uname -m includes "-pc" on this system.
 	echo ${UNAME_MACHINE}-mingw32
 	exit ;;
    i*:PW*:*)
 	echo ${UNAME_MACHINE}-pc-pw32
 	exit ;;
@ -879,27 +873,12 @@ EOF
 		echo ia64-unknown-interix${UNAME_RELEASE}
 		exit ;;
 	esac ;;
    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
 	echo i${UNAME_MACHINE}-pc-mks
 	exit ;;
    8664:Windows_NT:*)
 	echo x86_64-pc-mks
 	exit ;;
    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
 	# How do we know it's Interix rather than the generic POSIX subsystem?
 	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
 	# UNAME_MACHINE based on the output of uname instead of i386?
 	echo i586-pc-interix
 	exit ;;
    i*:UWIN*:*)
 	echo ${UNAME_MACHINE}-pc-uwin
 	exit ;;
    amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*)
 	echo x86_64-unknown-cygwin
 	exit ;;
    p*:CYGWIN*:*)
 	echo powerpcle-unknown-cygwin
 	exit ;;
    prep*:SunOS:5.*:*)
 	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
 	exit ;;
@ -909,7 +888,7 @@ EOF
 	exit ;;
    *:GNU/*:*:*)
 	# other systems with GNU libc and userland
-	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
+	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
 	exit ;;
    i*86:Minix:*:*)
 	echo ${UNAME_MACHINE}-pc-minix
@ -1006,6 +985,9 @@ EOF
 	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
 	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
 	;;
    mips64el:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    openrisc*:Linux:*:*)
 	echo or1k-unknown-linux-${LIBC}
 	exit ;;
@ -1038,6 +1020,9 @@ EOF
    ppcle:Linux:*:*)
 	echo powerpcle-unknown-linux-${LIBC}
 	exit ;;
    riscv32:Linux:*:* | riscv64:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
    s390:Linux:*:* | s390x:Linux:*:*)
 	echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
 	exit ;;
@ -1285,6 +1270,9 @@ EOF
    SX-8R:SUPER-UX:*:*)
 	echo sx8r-nec-superux${UNAME_RELEASE}
 	exit ;;
    SX-ACE:SUPER-UX:*:*)
 	echo sxace-nec-superux${UNAME_RELEASE}
 	exit ;;
    Power*:Rhapsody:*:*)
 	echo powerpc-apple-rhapsody${UNAME_RELEASE}
 	exit ;;
@ -1300,7 +1288,7 @@ EOF
 	if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
 	    if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
 		if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
-		    (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
+		       (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
 		       grep IS_64BIT_ARCH >/dev/null
 		then
 		    case $UNAME_PROCESSOR in
@ -1308,6 +1296,13 @@ EOF
 			powerpc) UNAME_PROCESSOR=powerpc64 ;;
 		    esac
 		fi
 		# On 10.4-10.6 one might compile for PowerPC via gcc -arch ppc
 		if (echo '#ifdef __POWERPC__'; echo IS_PPC; echo '#endif') | \
 		       (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
 		       grep IS_PPC >/dev/null
 		then
 		    UNAME_PROCESSOR=powerpc
 		fi
 	    fi
 	elif test "$UNAME_PROCESSOR" = i386 ; then
 	    # Avoid executing cc on OS X 10.9, as it ships with a stub
@ -1331,15 +1326,18 @@ EOF
    *:QNX:*:4*)
 	echo i386-pc-qnx
 	exit ;;
-    NEO-?:NONSTOP_KERNEL:*:*)
+    NEO-*:NONSTOP_KERNEL:*:*)
 	echo neo-tandem-nsk${UNAME_RELEASE}
 	exit ;;
    NSE-*:NONSTOP_KERNEL:*:*)
 	echo nse-tandem-nsk${UNAME_RELEASE}
 	exit ;;
-    NSR-?:NONSTOP_KERNEL:*:*)
+    NSR-*:NONSTOP_KERNEL:*:*)
 	echo nsr-tandem-nsk${UNAME_RELEASE}
 	exit ;;
    NSX-*:NONSTOP_KERNEL:*:*)
 	echo nsx-tandem-nsk${UNAME_RELEASE}
 	exit ;;
    *:NonStop-UX:*:*)
 	echo mips-compaq-nonstopux
 	exit ;;
@ -1395,7 +1393,7 @@ EOF
 	echo i386-pc-xenix
 	exit ;;
    i*86:skyos:*:*)
-	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
+	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'`
 	exit ;;
    i*86:rdos:*:*)
 	echo ${UNAME_MACHINE}-pc-rdos
@ -1414,18 +1412,17 @@ esac
 cat >&2 <<EOF
 $0: unable to guess system type
-This script, last modified $timestamp, has failed to recognize
+This script (version $timestamp), has failed to recognize the
-the operating system you are using. It is advised that you
+operating system you are using. If your script is old, overwrite *all*
-download the most up to date version of the config scripts from
+copies of config.guess and config.sub with the latest versions from:
-  http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
+  https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
 and
-  http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
+  https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
-If the version you run ($0) is already up to date, please
+If $0 has already been updated, send the following data and any
-send the following data and any information you think might be
+information you think might be pertinent to config-patches@gnu.org to
-pertinent to <config-patches@gnu.org> in order to provide the needed
+provide the necessary information to handle your system.
 information to handle your system.
 config.guess timestamp = $timestamp
--- a/config.h.in
+++ b/config.h.in
@ -6,6 +6,9 @@
 /* Compile with debug code */
 #undef DEBUG
 /* Enable use of /dev/urandom */
 #undef ENABLE_DEV_URANDOM
 /* this is the prefix for STL exception functions */
 #undef EXCEPTION_NAMESPACE
@ -15,6 +18,21 @@
 /* Define to 1 if you have the <CommonCrypto/CommonDigest.h> header file. */
 #undef HAVE_COMMONCRYPTO_COMMONDIGEST_H
 /* Has /dev/arandom */
 #undef HAVE_DEV_ARANDOM
 /* Has /dev/random */
 #undef HAVE_DEV_RANDOM
 /* Has /dev/urandom */
 #undef HAVE_DEV_URANDOM
 /* Define to 1 if you have the `door_create' function. */
 #undef HAVE_DOOR_CREATE
 /* Define to 1 if you have the <door.h> header file. */
 #undef HAVE_DOOR_H
 /* Define to 1 if you have the <fcntl.h> header file. */
 #undef HAVE_FCNTL_H
@ -54,6 +72,12 @@
 /* Define to 1 if you have the <openssl/sha.h> header file. */
 #undef HAVE_OPENSSL_SHA_H
 /* Define to 1 if you have the `port_create' function. */
 #undef HAVE_PORT_CREATE
 /* Define to 1 if you have the <port.h> header file. */
 #undef HAVE_PORT_H
 /* Define to 1 if you have the `posix_fadvise' function. */
 #undef HAVE_POSIX_FADVISE
@ -78,6 +102,15 @@
 /* Define to 1 if you have the <string.h> header file. */
 #undef HAVE_STRING_H
 /* Define to 1 if `st_blocks' is a member of `struct stat'. */
 #undef HAVE_STRUCT_STAT_ST_BLOCKS
 /* Define to 1 if `st_rdev' is a member of `struct stat'. */
 #undef HAVE_STRUCT_STAT_ST_RDEV
 /* Define to 1 if you have the `swab' function. */
 #undef HAVE_SWAB
 /* Define to 1 if you have the <syslog.h> header file. */
 #undef HAVE_SYSLOG_H
@ -111,6 +144,9 @@
 /* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
 /* Define to 1 if you have the <sys/unistd.h> header file. */
 #undef HAVE_SYS_UNISTD_H
 /* Define to 1 if you have the <sys/ustat.h> header file. */
 #undef HAVE_SYS_USTAT_H
@ -165,6 +201,9 @@
 /* The size of `long long', as computed by sizeof. */
 #undef SIZEOF_LONG_LONG
 /* The size of `time_t', as computed by sizeof. */
 #undef SIZEOF_TIME_T
 /* Don't use gethostbyname() on Solaris */
 #undef SOLARIS_NO_GETHOSTBYNAME
--- a/config.sub
+++ b/config.sub
@ -1,8 +1,8 @@
 #! /bin/sh
 # Configuration validation subroutine script.
-#   Copyright 1992-2016 Free Software Foundation, Inc.
+#   Copyright 1992-2017 Free Software Foundation, Inc.
-timestamp='2016-01-01'
+timestamp='2017-09-22'
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@ -15,7 +15,7 @@ timestamp='2016-01-01'
 # General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, see <http://www.gnu.org/licenses/>.
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@ -33,7 +33,7 @@ timestamp='2016-01-01'
 # Otherwise, we print the canonical config type on stdout and succeed.
 # You can get the latest version of this script from:
-# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
+# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
 # This file is supposed to be the same for all GNU packages
 # and recognize all the CPU types, system types and aliases
@ -67,7 +67,7 @@ Report bugs and patches to <config-patches@gnu.org>."
 version="\
 GNU config.sub ($timestamp)
-Copyright 1992-2016 Free Software Foundation, Inc.
+Copyright 1992-2017 Free Software Foundation, Inc.
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -117,7 +117,7 @@ case $maybe_os in
  nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
  linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
  knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \
-  kopensolaris*-gnu* | \
+  kopensolaris*-gnu* | cloudabi*-eabi* | \
  storm-chaos* | os2-emx* | rtmk-nova*)
    os=-$maybe_os
    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
@ -229,9 +229,6 @@ case $os in
 	-ptx*)
 		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
 		;;
 	-windowsnt*)
 		os=`echo $os | sed -e 's/windowsnt/winnt/'`
 		;;
 	-psos*)
 		os=-psos
 		;;
@ -263,7 +260,7 @@ case $basic_machine in
 	| fido | fr30 | frv | ft32 \
 	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
 	| hexagon \
-	| i370 | i860 | i960 | ia64 \
+	| i370 | i860 | i960 | ia16 | ia64 \
 	| ip2k | iq2000 \
 	| k1om \
 	| le32 | le64 \
@ -301,6 +298,7 @@ case $basic_machine in
 	| open8 | or1k | or1knd | or32 \
 	| pdp10 | pdp11 | pj | pjl \
 	| powerpc | powerpc64 | powerpc64le | powerpcle \
 	| pru \
 	| pyramid \
 	| riscv32 | riscv64 \
 	| rl78 | rx \
@ -314,6 +312,7 @@ case $basic_machine in
 	| ubicom32 \
 	| v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \
 	| visium \
 	| wasm32 \
 	| we32k \
 	| x86 | xc16x | xstormy16 | xtensa \
 	| z8k | z80)
@ -387,7 +386,7 @@ case $basic_machine in
 	| h8300-* | h8500-* \
 	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
 	| hexagon-* \
-	| i*86-* | i860-* | i960-* | ia64-* \
+	| i*86-* | i860-* | i960-* | ia16-* | ia64-* \
 	| ip2k-* | iq2000-* \
 	| k1om-* \
 	| le32-* | le64-* \
@ -428,6 +427,7 @@ case $basic_machine in
 	| orion-* \
 	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
 	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
 	| pru-* \
 	| pyramid-* \
 	| riscv32-* | riscv64-* \
 	| rl78-* | romp-* | rs6000-* | rx-* \
@ -444,6 +444,7 @@ case $basic_machine in
 	| v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \
 	| vax-* \
 	| visium-* \
 	| wasm32-* \
 	| we32k-* \
 	| x86-* | x86_64-* | xc16x-* | xps100-* \
 	| xstormy16-* | xtensa*-* \
@ -643,6 +644,14 @@ case $basic_machine in
 		basic_machine=m68k-bull
 		os=-sysv3
 		;;
 	e500v[12])
 		basic_machine=powerpc-unknown
 		os=$os"spe"
 		;;
 	e500v[12]-*)
 		basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
 		os=$os"spe"
 		;;
 	ebmon29k)
 		basic_machine=a29k-amd
 		os=-ebmon
@ -938,6 +947,9 @@ case $basic_machine in
 	nsr-tandem)
 		basic_machine=nsr-tandem
 		;;
 	nsx-tandem)
 		basic_machine=nsx-tandem
 		;;
 	op50n-* | op60c-*)
 		basic_machine=hppa1.1-oki
 		os=-proelf
@ -1022,7 +1034,7 @@ case $basic_machine in
 	ppc-* | ppcbe-*)
 		basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
 		;;
-	ppcle | powerpclittle | ppc-le | powerpc-little)
+	ppcle | powerpclittle)
 		basic_machine=powerpcle-unknown
 		;;
 	ppcle-* | powerpclittle-*)
@ -1032,7 +1044,7 @@ case $basic_machine in
 		;;
 	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
 		;;
-	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
+	ppc64le | powerpc64little)
 		basic_machine=powerpc64le-unknown
 		;;
 	ppc64le-* | powerpc64little-*)
@ -1233,6 +1245,9 @@ case $basic_machine in
 		basic_machine=a29k-wrs
 		os=-vxworks
 		;;
 	wasm32)
 		basic_machine=wasm32-unknown
 		;;
 	w65*)
 		basic_machine=w65-wdc
 		os=-none
@ -1241,6 +1256,9 @@ case $basic_machine in
 		basic_machine=hppa1.1-winbond
 		os=-proelf
 		;;
 	x64)
 		basic_machine=x86_64-pc
 		;;
 	xbox)
 		basic_machine=i686-pc
 		os=-mingw32
@ -1348,8 +1366,8 @@ esac
 if [ x"$os" != x"" ]
 then
 case $os in
-	# First match some system type aliases
+	# First match some system type aliases that might get confused
-	# that might get confused with valid system types.
+	# with valid system types.
 	# -solaris* is a basic system type, with this one exception.
 	-auroraux)
 		os=-auroraux
@ -1369,9 +1387,9 @@ case $os in
 	-gnu/linux*)
 		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
 		;;
-	# First accept the basic system types.
+	# Now accept the basic system types.
 	# The portable systems comes first.
-	# Each alternative MUST END IN A *, to match a version number.
+	# Each alternative MUST end in a * to match a version number.
 	# -sysv* is not here because it comes later, after sysvr4.
 	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
 	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
@ -1387,9 +1405,9 @@ case $os in
 	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
 	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
 	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
-	      | -chorusos* | -chorusrdb* | -cegcc* \
+	      | -chorusos* | -chorusrdb* | -cegcc* | -glidix* \
 	      | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
+	      | -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
 	      | -linux-newlib* | -linux-musl* | -linux-uclibc* \
 	      | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
 	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
@ -1399,7 +1417,7 @@ case $os in
 	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
 	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
 	      | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \
-	      | -onefs* | -tirtos*)
+	      | -onefs* | -tirtos* | -phoenix* | -fuchsia* | -redox*)
 	# Remember, each alternative MUST END IN *, to match a version number.
 		;;
 	-qnx*)
@ -1531,6 +1549,8 @@ case $os in
 		;;
 	-nacl*)
 		;;
 	-ios)
 		;;
 	-none)
 		;;
 	*)
@ -1626,6 +1646,9 @@ case $basic_machine in
 	sparc-* | *-sun)
 		os=-sunos4.1.1
 		;;
 	pru-*)
 		os=-elf
 		;;
 	*-be)
 		os=-beos
 		;;
--- a/322
+++ b/322
@ -1,7 +1,7 @@
 #! /bin/sh
-# From configure.ac Revision: 2.4.3.4 .
+# From configure.ac Revision: 2.4.3.7 .
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for tripwire 2.4.3.4.
+# Generated by GNU Autoconf 2.69 for tripwire 2.4.3.7.
 #
 # Report bugs to <https://github.com/Tripwire/tripwire-open-source/issues>.
 #
@ -12,7 +12,7 @@
 # This configure script is free software; the Free Software Foundation
 # gives unlimited permission to copy, distribute and modify it.
 #
-# The developer of the original code and/or files is Tripwire, Inc.  Portions created by Tripwire, Inc. are copyright 2000-2017 Tripwire, Inc.  Tripwire is a registered trademark of Tripwire, Inc.  All rights reserved.
+# The developer of the original code and/or files is Tripwire, Inc.  Portions created by Tripwire, Inc. are copyright 2000-2018 Tripwire, Inc.  Tripwire is a registered trademark of Tripwire, Inc.  All rights reserved.
 ## -------------------- ##
 ## M4sh Initialization. ##
 ## -------------------- ##
@ -584,8 +584,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='tripwire'
 PACKAGE_TARNAME='tripwire'
-PACKAGE_VERSION='2.4.3.4'
+PACKAGE_VERSION='2.4.3.7'
-PACKAGE_STRING='tripwire 2.4.3.4'
+PACKAGE_STRING='tripwire 2.4.3.7'
 PACKAGE_BUGREPORT='https://github.com/Tripwire/tripwire-open-source/issues'
 PACKAGE_URL='https://github.com/Tripwire/tripwire-open-source'
@ -724,7 +724,6 @@ infodir
 docdir
 oldincludedir
 includedir
 runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@ -748,8 +747,12 @@ ac_subst_files=''
 ac_user_opts='
 enable_option_checking
 enable_silent_rules
 enable_extrawarnings
 enable_static
 enable_debug
 enable_coverage
 enable_profiling
 enable_urandom
 enable_dependency_tracking
 enable_commoncrypto
 enable_iconv
@ -809,7 +812,6 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
 runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@ -1062,15 +1064,6 @@ do
  | -silent | --silent | --silen | --sile | --sil)
    silent=yes ;;
  -runstatedir | --runstatedir | --runstatedi | --runstated \
  | --runstate | --runstat | --runsta | --runst | --runs \
  | --run | --ru | --r)
    ac_prev=runstatedir ;;
  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
  | --run=* | --ru=* | --r=*)
    runstatedir=$ac_optarg ;;
  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
    ac_prev=sbindir ;;
  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@ -1208,7 +1201,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir runstatedir
+		libdir localedir mandir
 do
  eval ac_val=\$$ac_var
  # Remove trailing slashes.
@ -1321,7 +1314,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures tripwire 2.4.3.4 to adapt to many kinds of systems.
+\`configure' configures tripwire 2.4.3.7 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1361,7 +1354,6 @@ Fine tuning of the installation directories:
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@ -1393,7 +1385,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of tripwire 2.4.3.4:";;
+     short | recursive ) echo "Configuration of tripwire 2.4.3.7:";;
   esac
  cat <<\_ACEOF
@ -1403,8 +1395,12 @@ Optional Features:
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --enable-silent-rules   less verbose build output (undo: "make V=1")
  --disable-silent-rules  verbose build output (undo: "make V=0")
  —-disable-extrawarnings do not compile with -Wextra warnings enabled
  --enable-static         compile static binaries
  --enable-debug          compile with debuging enabled
  --enable-coverage       enable code coverage
  --enable-profiling      enable profiling
  --enable-urandom        use /dev/urandom
  --enable-dependency-tracking
                          do not reject slow dependency extractors
  --disable-dependency-tracking
@ -1504,14 +1500,14 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-tripwire configure 2.4.3.4
+tripwire configure 2.4.3.7
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
-The developer of the original code and/or files is Tripwire, Inc.  Portions created by Tripwire, Inc. are copyright 2000-2017 Tripwire, Inc.  Tripwire is a registered trademark of Tripwire, Inc.  All rights reserved.
+The developer of the original code and/or files is Tripwire, Inc.  Portions created by Tripwire, Inc. are copyright 2000-2018 Tripwire, Inc.  Tripwire is a registered trademark of Tripwire, Inc.  All rights reserved.
 _ACEOF
  exit
 fi
@ -2034,6 +2030,63 @@ rm -f conftest.val
 } # ac_fn_c_compute_int
 # ac_fn_c_check_member LINENO AGGR MEMBER VAR INCLUDES
 # ----------------------------------------------------
 # Tries to find if the field MEMBER exists in type AGGR, after including
 # INCLUDES, setting cache variable VAR accordingly.
 ac_fn_c_check_member ()
 {
  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5
 $as_echo_n "checking for $2.$3... " >&6; }
 if eval \${$4+:} false; then :
  $as_echo_n "(cached) " >&6
 else
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 $5
 int
 main ()
 {
 static $2 ac_aggr;
 if (ac_aggr.$3)
 return 0;
  ;
  return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
  eval "$4=yes"
 else
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 $5
 int
 main ()
 {
 static $2 ac_aggr;
 if (sizeof ac_aggr.$3)
 return 0;
  ;
  return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
  eval "$4=yes"
 else
  eval "$4=no"
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 eval ac_res=\$$4
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 } # ac_fn_c_check_member
 # ac_fn_c_try_link LINENO
 # -----------------------
 # Try to link conftest.$ac_ext, and return whether this succeeded.
@ -2391,7 +2444,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by tripwire $as_me 2.4.3.4, which was
+It was created by tripwire $as_me 2.4.3.7, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  $ $0 $@
@ -3365,7 +3418,7 @@ fi
 # Define the identity of the package.
 PACKAGE='tripwire'
- VERSION='2.4.3.4'
+ VERSION='2.4.3.7'
 cat >>confdefs.h <<_ACEOF
@ -3464,11 +3517,21 @@ ac_config_headers="$ac_config_headers config.h"
-rm -f src/tripwire/syslog.h 2> /dev/null
+CFLAGS=${CFLAGS:-"-O -pipe -Wall -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"}
-chmod 755 install-sh 2> /dev/null
+CXXFLAGS=${CXXFLAGS:-"-O -pipe -Wall -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"}
-CFLAGS=${CFLAGS:-"-O -pipe -Wall -Wextra -Wno-unused-parameter -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"}
+
-CXXFLAGS=${CXXFLAGS:-"-O -pipe -Wall -Wextra -Wno-unused-parameter -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"}
+# This is primarily to support old compilers that don’t understand -Wextra
 # Check whether --enable-extrawarnings was given.
 if test "${enable_extrawarnings+set}" = set; then :
  enableval=$enable_extrawarnings;
 fi
 if test "x$enable_extrawarnings" != "xno"
 then
   CFLAGS="${CFLAGS} -Wextra -Wno-unused-parameter"
   CXXFLAGS="${CXXFLAGS} -Wextra -Wno-unused-parameter"
 fi
 # Check whether --enable-static was given.
 if test "${enable_static+set}" = set; then :
@ -3478,6 +3541,7 @@ fi
 if test "x$enable_static" = xyes
 then LDFLAGS="${LDFLAGS} -static"
 fi
 # Check whether --enable-debug was given.
 if test "${enable_debug+set}" = set; then :
  enableval=$enable_debug;
@ -3490,6 +3554,46 @@ then
 $as_echo "#define DEBUG 1" >>confdefs.h
 else
 $as_echo "#define NDEBUG 1" >>confdefs.h
 fi
 # Check whether --enable-coverage was given.
 if test "${enable_coverage+set}" = set; then :
  enableval=$enable_coverage;
 fi
 if test "x$enable_coverage" = xyes
 then
   CFLAGS="${CFLAGS} --coverage"
   CXXFLAGS="${CXXFLAGS} --coverage"
   LDFLAGS="${LDFLAGS} --coverage"
 fi
 # Check whether --enable-profiling was given.
 if test "${enable_profiling+set}" = set; then :
  enableval=$enable_profiling;
 fi
 if test "x$enable_profiling" = xyes
 then
   CFLAGS="${CFLAGS} -pg"
   CXXFLAGS="${CXXFLAGS} -pg"
   LDFLAGS="${LDFLAGS} -pg"
 fi
 # Check whether --enable-urandom was given.
 if test "${enable_urandom+set}" = set; then :
  enableval=$enable_urandom;
 fi
 if test "x$enable_urandom" = xyes
 then
 $as_echo "#define ENABLE_DEV_URANDOM 1" >>confdefs.h
 fi
 ac_ext=c
@ -4349,7 +4453,7 @@ if test -z "$CXX"; then
    CXX=$CCC
  else
    if test -n "$ac_tool_prefix"; then
-  for ac_prog in g++ clang++ sunCC aCC xlC_r xlC cl.exe
+  for ac_prog in g++ c++ clang++ sunCC aCC xlC_r xlC cl.exe
  do
    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
@ -4393,7 +4497,7 @@ fi
 fi
 if test -z "$CXX"; then
  ac_ct_CXX=$CXX
-  for ac_prog in g++ clang++ sunCC aCC xlC_r xlC cl.exe
+  for ac_prog in g++ c++ clang++ sunCC aCC xlC_r xlC cl.exe
 do
  # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
@ -5522,7 +5626,20 @@ fi
 done
-for ac_header in unistd.h syslog.h langinfo.h sys/statfs.h sys/select.h
+for ac_header in unistd.h sys/unistd.h
 do :
  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
 if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
  cat >>confdefs.h <<_ACEOF
 #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
 fi
 done
 for ac_header in syslog.h langinfo.h sys/statfs.h sys/select.h
 do :
  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@ -6053,6 +6170,39 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 # The cast to long int works around a bug in the HP C Compiler
 # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
 # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
 # This bug is HP SR number 8606223364.
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of time_t" >&5
 $as_echo_n "checking size of time_t... " >&6; }
 if ${ac_cv_sizeof_time_t+:} false; then :
  $as_echo_n "(cached) " >&6
 else
  if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (time_t))" "ac_cv_sizeof_time_t"        "$ac_includes_default"; then :
 else
  if test "$ac_cv_type_time_t" = yes; then
     { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error 77 "cannot compute sizeof (time_t)
 See \`config.log' for more details" "$LINENO" 5; }
   else
     ac_cv_sizeof_time_t=0
   fi
 fi
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_time_t" >&5
 $as_echo "$ac_cv_sizeof_time_t" >&6; }
 cat >>confdefs.h <<_ACEOF
 #define SIZEOF_TIME_T $ac_cv_sizeof_time_t
 _ACEOF
 $as_echo "#define USES_1S_COMPLEMENT 0" >>confdefs.h
@ -6078,6 +6228,26 @@ $as_echo "#define IS_UNIX 1" >>confdefs.h
 $as_echo "#define NDEBUG 1" >>confdefs.h
 ac_fn_c_check_member "$LINENO" "struct stat" "st_rdev" "ac_cv_member_struct_stat_st_rdev" "$ac_includes_default"
 if test "x$ac_cv_member_struct_stat_st_rdev" = xyes; then :
 cat >>confdefs.h <<_ACEOF
 #define HAVE_STRUCT_STAT_ST_RDEV 1
 _ACEOF
 fi
 ac_fn_c_check_member "$LINENO" "struct stat" "st_blocks" "ac_cv_member_struct_stat_st_blocks" "$ac_includes_default"
 if test "x$ac_cv_member_struct_stat_st_blocks" = xyes; then :
 cat >>confdefs.h <<_ACEOF
 #define HAVE_STRUCT_STAT_ST_BLOCKS 1
 _ACEOF
 fi
 for ac_func in strftime gethostname gethostid
 do :
  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
@ -6102,6 +6272,17 @@ _ACEOF
 fi
 done
 for ac_func in swab
 do :
  ac_fn_c_check_func "$LINENO" "swab" "ac_cv_func_swab"
 if test "x$ac_cv_func_swab" = xyes; then :
  cat >>confdefs.h <<_ACEOF
 #define HAVE_SWAB 1
 _ACEOF
 fi
 done
 for ac_header in fcntl.h
 do :
@ -6148,6 +6329,78 @@ done
 fi
 for ac_header in door.h
 do :
  ac_fn_c_check_header_mongrel "$LINENO" "door.h" "ac_cv_header_door_h" "$ac_includes_default"
 if test "x$ac_cv_header_door_h" = xyes; then :
  cat >>confdefs.h <<_ACEOF
 #define HAVE_DOOR_H 1
 _ACEOF
 for ac_func in door_create
 do :
  ac_fn_c_check_func "$LINENO" "door_create" "ac_cv_func_door_create"
 if test "x$ac_cv_func_door_create" = xyes; then :
  cat >>confdefs.h <<_ACEOF
 #define HAVE_DOOR_CREATE 1
 _ACEOF
 fi
 done
 fi
 done
 for ac_header in port.h
 do :
  ac_fn_c_check_header_mongrel "$LINENO" "port.h" "ac_cv_header_port_h" "$ac_includes_default"
 if test "x$ac_cv_header_port_h" = xyes; then :
  cat >>confdefs.h <<_ACEOF
 #define HAVE_PORT_H 1
 _ACEOF
 for ac_func in port_create
 do :
  ac_fn_c_check_func "$LINENO" "port_create" "ac_cv_func_port_create"
 if test "x$ac_cv_func_port_create" = xyes; then :
  cat >>confdefs.h <<_ACEOF
 #define HAVE_PORT_CREATE 1
 _ACEOF
 fi
 done
 fi
 done
 UNAME=`uname`
 if [ $UNAME != "AROS" ]; then
  if test -c "/dev/random"; then
 $as_echo "#define HAVE_DEV_RANDOM 1" >>confdefs.h
  fi
  if test -c "/dev/urandom"; then
 $as_echo "#define HAVE_DEV_URANDOM 1" >>confdefs.h
  fi
  if test -c "/dev/arandom"; then
 $as_echo "#define HAVE_DEV_ARANDOM 1" >>confdefs.h
  fi
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for socket in -lc" >&5
 $as_echo_n "checking for socket in -lc... " >&6; }
@ -6850,6 +7103,9 @@ case $target in
 		;;
 	*-*-netbsd*)
 		;;
 	*-*-libertybsd*)
 		CXXFLAGS="${CXXFLAGS} -DTW_LibertyBSD"
 		;;
 	i[0-9]86-pc-linux*)
 		;;
 	sparc-*-linux*)
@ -7633,7 +7889,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by tripwire $as_me 2.4.3.4, which was
+This file was extended by tripwire $as_me 2.4.3.7, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@ -7700,7 +7956,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-tripwire config.status 2.4.3.4
+tripwire config.status 2.4.3.7
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
--- a/configure.ac
+++ b/configure.ac
@ -2,47 +2,75 @@ dnl Process this file with autoconf to produce a configure script.
 dnl
 dnl
-AC_INIT([tripwire], [2.4.3.4], [https://github.com/Tripwire/tripwire-open-source/issues], [tripwire], [https://github.com/Tripwire/tripwire-open-source])
+AC_INIT([tripwire], [2.4.3.7], [https://github.com/Tripwire/tripwire-open-source/issues], [tripwire], [https://github.com/Tripwire/tripwire-open-source])
 AC_CONFIG_SRCDIR([src/tw/tw.cpp])
 AC_CANONICAL_TARGET([])
 AM_INIT_AUTOMAKE
 AM_CONFIG_HEADER(config.h)
-AC_COPYRIGHT([The developer of the original code and/or files is Tripwire, Inc.  Portions created by Tripwire, Inc. are copyright 2000-2017 Tripwire, Inc.  Tripwire is a registered trademark of Tripwire, Inc.  All rights reserved.])
+AC_COPYRIGHT([The developer of the original code and/or files is Tripwire, Inc.  Portions created by Tripwire, Inc. are copyright 2000-2018 Tripwire, Inc.  Tripwire is a registered trademark of Tripwire, Inc.  All rights reserved.])
-AC_REVISION([$Revision: 2.4.3.4 $])
+AC_REVISION([$Revision: 2.4.3.7 $])
 dnl #################################
 dnl Cleanup Cruft Leftover From Patch
 dnl #################################
 rm -f src/tripwire/syslog.h 2> /dev/null
 chmod 755 install-sh 2> /dev/null
 dnl ###############
 dnl Setup defaults
 dnl ###############
-CFLAGS=${CFLAGS:-"-O -pipe -Wall -Wextra -Wno-unused-parameter -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"}
+CFLAGS=${CFLAGS:-"-O -pipe -Wall -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"}
-CXXFLAGS=${CXXFLAGS:-"-O -pipe -Wall -Wextra -Wno-unused-parameter -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"}
+CXXFLAGS=${CXXFLAGS:-"-O -pipe -Wall -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"}
 dnl #####################
 dnl Configuration options
 dnl #####################
 # This is primarily to support old compilers that don’t understand -Wextra
 AC_ARG_ENABLE(extrawarnings,  [  —-disable-extrawarnings do not compile with -Wextra warnings enabled])
 if test "x$enable_extrawarnings" != "xno"
 then
   CFLAGS="${CFLAGS} -Wextra -Wno-unused-parameter"
   CXXFLAGS="${CXXFLAGS} -Wextra -Wno-unused-parameter"
 fi
 AC_ARG_ENABLE(static, [  --enable-static         compile static binaries])
 if test "x$enable_static" = xyes
 then LDFLAGS="${LDFLAGS} -static"
 fi
 AC_ARG_ENABLE(debug,  [  --enable-debug          compile with debuging enabled])
 if test "x$enable_debug" = xyes
 then
   CFLAGS="${CFLAGS} -g"
   CXXFLAGS="${CXXFLAGS} -g"
   AC_DEFINE(DEBUG, 1, [Compile with debug code])
 else
   AC_DEFINE(NDEBUG, 1, [Compile without debug code])
 fi
 AC_ARG_ENABLE(coverage, [  --enable-coverage       enable code coverage])
 if test "x$enable_coverage" = xyes
 then
   CFLAGS="${CFLAGS} --coverage"
   CXXFLAGS="${CXXFLAGS} --coverage"
   LDFLAGS="${LDFLAGS} --coverage"
 fi
 AC_ARG_ENABLE(profiling, [  --enable-profiling      enable profiling])
 if test "x$enable_profiling" = xyes
 then
   CFLAGS="${CFLAGS} -pg"
   CXXFLAGS="${CXXFLAGS} -pg"
   LDFLAGS="${LDFLAGS} -pg"
 fi
 AC_ARG_ENABLE(urandom,  [  --enable-urandom        use /dev/urandom])
 if test "x$enable_urandom" = xyes
 then
   AC_DEFINE(ENABLE_DEV_URANDOM, 1, [Enable use of /dev/urandom])
 fi
 dnl ###################
 dnl Checks for programs
 dnl ###################
 AC_PROG_CC([gcc clang suncc aCC xlC_r xlC cl.exe])
-AC_PROG_CXX([g++ clang++ sunCC aCC xlC_r xlC cl.exe])
+AC_PROG_CXX([g++ c++ clang++ sunCC aCC xlC_r xlC cl.exe])
 AC_PROG_RANLIB
 AC_PROG_YACC
 AC_PROG_LN_S
@ -71,7 +99,8 @@ AC_CHECK_HEADERS(sys/mount.h,,,
 #endif
 ]])
 AC_CHECK_HEADERS(sys/ustat.h sys/sysmacros.h sys/syslog.h sys/socket.h)
-AC_CHECK_HEADERS(unistd.h syslog.h langinfo.h sys/statfs.h sys/select.h)
+AC_CHECK_HEADERS(unistd.h sys/unistd.h)
 AC_CHECK_HEADERS(syslog.h langinfo.h sys/statfs.h sys/select.h)
 AC_CHECK_HEADERS(signum.h bits/signum.h, break )
 AC_CHECK_HEADERS(stdarg.h varargs.h, break )
 AC_CHECK_HEADERS(sys/utsname.h memory.h)
@ -93,6 +122,7 @@ AC_C_BIGENDIAN
 AC_CHECK_SIZEOF(int)
 AC_CHECK_SIZEOF(long)
 AC_CHECK_SIZEOF(long long)
 AC_CHECK_SIZEOF(time_t)
 dnl All platforms we support use 2's complement, are byte aligned, etc...
 AC_DEFINE(USES_1S_COMPLEMENT, 0, [Uses one's complement])
@ -109,11 +139,15 @@ AC_DEFINE(IS_UNIX, 1, [Is a unix type platform])
 dnl whether or not to generate debuging code?
 AC_DEFINE(NDEBUG, 1, [don't generate debuging code])
 dnl look for struct stat members that aren't always there
 AC_CHECK_MEMBERS([struct stat.st_rdev, struct stat.st_blocks])
 dnl #############################
 dnl Checks for standard functions
 dnl #############################
 AC_CHECK_FUNCS(strftime gethostname gethostid)
 AC_CHECK_FUNCS(mkstemp mktemp, break)
 AC_CHECK_FUNCS(swab)
 dnl check for posix_fadvise
 AC_CHECK_HEADERS(fcntl.h, [AC_CHECK_FUNCS(posix_fadvise)])
@ -127,6 +161,40 @@ then
  AC_CHECK_HEADERS(CommonCrypto/CommonDigest.h)
 fi
 dnl check for door support (Solaris)
 AC_CHECK_HEADERS(door.h, [AC_CHECK_FUNCS(door_create)])
 dnl check for event port support (Solaris)
 AC_CHECK_HEADERS(port.h, [AC_CHECK_FUNCS(port_create)])
 dnl ##############################################  
 dnl check for various RNG/PRNG devices
 dnl ##############################################  
 UNAME=`uname`
 dnl ############################################## 
 dnl AROS pops up a "Please insert disk" dialog for /dev
 dnl if script looks for devices (which don't exist)
 dnl so don't even try looking.
 dnl ############################################## 
 if [[ $UNAME != "AROS" ]]; then
  if test -c "/dev/random"; then
    AC_DEFINE(HAVE_DEV_RANDOM, [1], [Has /dev/random])
  fi
  if test -c "/dev/urandom"; then
    AC_DEFINE(HAVE_DEV_URANDOM, [1], [Has /dev/urandom])
  fi
  if test -c "/dev/arandom"; then
    AC_DEFINE(HAVE_DEV_ARANDOM, [1], [Has /dev/arandom])
  fi
 fi
 dnl ##############################################
 dnl Checks for various platform specific libraries
 dnl ##############################################
@ -281,6 +349,9 @@ case $target in
 		;;
 	*-*-netbsd*)
 		;;
 	*-*-libertybsd*)
 		CXXFLAGS="${CXXFLAGS} -DTW_LibertyBSD"
 		;;
 	i[[0-9]]86-pc-linux*)
 		;;
 	sparc-*-linux*)
--- a/installer/install.sh
+++ b/installer/install.sh
@ -17,7 +17,7 @@
 ## from Larry Wall's metaconfig.
 ##-------------------------------------------------------
-PATH='.:/bin:/usr/bin'
+PATH=".:/bin:/usr/bin:/usr/local/bin:$PATH"
 export PATH || (echo 'You must use sh to run this script'; kill $$)
 if [ ! -t 0 ] ; then
 	echo "Say 'sh install.sh', not 'sh < install.sh'"
@ -28,7 +28,7 @@ fi
 ## The usage message.
 ##-------------------------------------------------------
-USAGE="install.sh [<configfile>] [-n] [-f] [-s <sitepassphrase>] [-l <localpassphrase>]"
+USAGE="install.sh [<configfile>] [-n] [-f] [-s <sitepassphrase>] [-l <localpassphrase>] [-d <installdir>]"
 ##-------------------------------------------------------
 ## Figure out how to do an echo without newline.
@ -42,18 +42,6 @@ else
 	c=""
 fi
 ##-------------------------------------------------------
 ## Better have a copy of tar!
 ## If /bin/sh does not exist or is not readable (seems
 ## fairly unlikely), then this will fail.
 ##-------------------------------------------------------
 (tar cvf /dev/null /bin/sh) 2> /dev/null 1>&2
 if [ $? -ne 0 ]; then
    echo "tar command not found -- aborting install."
 	exit 1
 fi
 ##-------------------------------------------------------
 ## Can't live without sed.
 ##-------------------------------------------------------
@ -78,50 +66,22 @@ for p in $awknames; do
 	fi
 done
 ##-------------------------------------------------------
 ## Does this system have a copy of grep we can use?
 ## Some greps don't return status (amazing, huh?),
 ## so we look for a copy of grep that
 ## returns 0 status for an exact match
 ## returns 0 status for a case-insensitive match
 ## returns 0 status for a wildcard match
 ## returns non-zero status for a failed match
 ##-------------------------------------------------------
 GREP=""
 grepnames="grep egrep"
 lcgrepstr="findensiemich"     # all lower case
 mcgrepstr="FindenSieMich"     # mixed case
 wcgrepstr="sie.ich$"          # wild card match
 nogrepstr="WoBistDu"          # should not be able to find this
 for p in $grepnames; do
 	(echo "$lcgrepstr" | $p "$lcgrepstr") 2> /dev/null 1>&2
 	if [ $? -eq 0 ]; then
 		(echo "$lcgrepstr" | $p -i "$mcgrepstr") 2> /dev/null 1>&2
 		if [ $? -eq 0 ]; then
 			(echo "$lcgrepstr" | $p "$wcgrepstr") 2> /dev/null 1>&2
 			if [ $? -eq 0 ]; then
 				(echo "$lcgrepstr" | $p "$nogrepstr") 2> /dev/null 1>&2
 				if [ $? -ne 0 ]; then
 					GREP=$p
 					break
 				fi
 			fi
 		fi
 	fi
 done
 ##-------------------------------------------------------
 ## Does this system have a pager that we can use?
 ## Use cat if desperate.
 ##-------------------------------------------------------
 MORE="cat"
-morenames="more less cat"
+morenames="less more most pg cat"
 for p in $morenames; do
-	($p $0 < /dev/null) 2> /dev/null 1>&2
+    pagerpath=`command -v $p`
-	if [ $? -eq 0 ]; then
+
-		MORE=$p
+    if [ -z $pagerpath ]; then
        continue
    fi
    if [ -x $pagerpath ]; then
        MORE=$pagerpath
        break
    fi
 done
@ -144,8 +104,10 @@ fi
 ## Miscellaneous configuration parameters.
 ##-------------------------------------------------------
-# prefix
+# set a few location variables if caller didn't pass them to us
-prefix="${prefix:=/usr}"
+prefix="${prefix:=/usr/local}"
 sysconfdir="${sysconfdir:=/usr/local/etc}"
 path_to_vi="${path_to_vi:=/usr/bin/vi}"
 # License File name
 TWLICENSEFILE="COPYING"
@ -192,10 +154,16 @@ TAR_DIR=${TAR_DIR:-${START_DIR}}
 OS=`uname -s`
 POLICYSRC="twpol-${OS:=GENERIC}.txt"
-if [ ! -r ${TAR_DIR}/policy/${POLICYSRC} ]
+if [ ! -r ${TAR_DIR}/policy/${POLICYSRC} ]; then
-then POLICYSRC="twpol-GENERIC.txt"
+    OS=`uname -o`
    POLICYSRC="twpol-${OS:=GENERIC}.txt"
 fi
 if [ ! -r ${TAR_DIR}/policy/${POLICYSRC} ]; then
    POLICYSRC="twpol-GENERIC.txt"
 fi
 ##-------------------------------------------------------
 ## Parse the command line.
 ##-------------------------------------------------------
@ -218,6 +186,13 @@ while [ "x$1" != "x" ] ; do
 		exit 1 ;;
 	    *) TW_LOCAL_PASS="$2"; shift ;;
 	    esac ;;
        -d) case "$2" in
            "" | -*)
                echo "Error: missing install dir with -d option." 1>&2
                echo "$USAGE"
                exit 1 ;;
            *) prefix="$2"; sysconfdir="$2/bin"; shift ;;
            esac ;;
 	-*) echo "Error: unknown argument $1" 1>&2
 	    echo "$USAGE"
 	    exit 1 ;;
@ -243,9 +218,8 @@ cat << END_OF_TEXT
 Installer program for:
 Tripwire(R) 2.4 Open Source
-Copyright (C) 1998-2000 Tripwire (R) Security Systems, Inc.  Tripwire (R)
+Copyright (C) 1998-2017 Tripwire, Inc.
-is a registered trademark of the Purdue Research Foundation and is
+Tripwire is a registered trademark of Tripwire, Inc. All rights reserved.
 licensed exclusively to Tripwire (R) Security Systems, Inc.
 END_OF_TEXT
@ -418,14 +392,48 @@ else
 ## Verify that the specified editor program exists
 ##-------------------------------------------------------
-TWEDITOR=${TWEDITOR:-'/bin/vi'}
+# If user specified an editor in $path_to_vi or $TWEDITOR, try that first.
 # $path_to_vi defaults to /usr/bin/vi, so we usually succeed here.
 #
 if [ -n ${TWEDITOR} ]; then
    TWEDITOR_PATH=`command -v $TWEDITOR`
 fi
 # If user's environment includes $EDITOR, try that next
 if [ -n ${EDITOR} ] && [ -z ${TWEDITOR_PATH} ]; then
    TWEDITOR_PATH=`command -v $EDITOR`
 fi
 # Ok, now search path for vi
 if [ -z ${TWEDITOR_PATH} ]; then
    TWEDITOR_PATH=`command -v vi`
 fi
 # Try vim in case there isn't a link named vi
 if [ -z ${TWEDITOR_PATH} ]; then
    TWEDITOR_PATH=`command -v vim`
 fi
 # No vi/vim? See if nano is present
 if [ -z ${TWEDITOR_PATH} ]; then
    TWEDITOR_PATH=`command -v nano`
 fi
 # No vi or nano? See if emacs is available
 if [ -z ${TWEDITOR_PATH} ]; then
    TWEDITOR_PATH=`command -v emacs`
 fi
 if [ -n ${TWEDITOR_PATH} ]; then
    TWEDITOR=$TWEDITOR_PATH
 fi
 if [ -x ${TWEDITOR} ]; then
    echo "${TWEDITOR} exists.  Continuing installation."
    echo
 else
-        echo "${TWEDITOR} does not exist.  Exiting."
+    echo "${TWEDITOR} not found. Continuing, but your configuration may need to be edited after installation."
-        exit 1
+    echo
 fi
 ##-------------------------------------------------------
@ -584,9 +592,12 @@ f10=' ff=${POLICYSRC} ; d="/policy" ; dd=$TWPOLICY ; rr=0640 '
 #f16=' ff=twadmin.8 ; d="/man/man8" ; dd=$TWMAN/man8 ; rr=0444 '
 #f17=' ff=twintro.8 ; d="/man/man8" ; dd=$TWMAN/man8 ; rr=0444 '
 #f18=' ff=twprint.8 ; d="/man/man8" ; dd=$TWMAN/man8 ; rr=0444 '
 f19=' ff=COMMERCIAL ; d="" ; dd=$TWDOCS ; rr=0444 '
 f20=' ff=ReadMe-2.4.3 ; d="" ; dd=$TWDOCS ; rr=0444 '
 f21=' ff=ChangeLog ; d="" ; dd=$TWDOCS ; rr=0444 '
 # Binaries and manpages are already installed by the install target
-loosefiles="f3 f4 f5 f6 f7 f8 f9 f10"
+loosefiles="f3 f4 f5 f6 f7 f8 f9 f10 f19 f20 f21"
 for i in $loosefiles; do
 	eval "eval \"\$$i\""
@ -607,7 +618,9 @@ done
 if [ -n "$INSTALL_STRIP_FLAG" ] ; then
  echo "INSTALL_STRIP_FLAG is set, stripping binaries"
  chmod u+w "$TWBIN/siggen" "$TWBIN/tripwire" "$TWBIN/twadmin" "$TWBIN/twprint"
  strip "$TWBIN/siggen" "$TWBIN/tripwire" "$TWBIN/twadmin" "$TWBIN/twprint"
  chmod u-w "$TWBIN/siggen" "$TWBIN/tripwire" "$TWBIN/twadmin" "$TWBIN/twprint"
 fi
 #Make extra sure we don't install the unit test binary to sbin
@ -923,7 +936,7 @@ cat << END_OF_TEXT
 ----------------------------------------------
 The installation succeeded.
-Please refer to $README_LOC
+Please refer to documentation in $TWDOCS
 for release information and to the printed user documentation
 for further instructions on using Tripwire 2.4 Open Source.
--- a/lcov.sh
+++ b/lcov.sh
@ -0,0 +1,18 @@
 #!/bin/sh
 if [ -d ./lcov ]; then
  rm -Rf ./lcov
 fi
 if [ -e ./lcov.dat ]; then
  rm ./lcov.dat
 fi
 if [ -e ./lcov.tgz ]; then
  rm ./lcov.tgz
 fi
 lcov --capture --directory src --output-file ./lcov.dat
 genhtml ./lcov.dat --output-directory lcov
 tar -zcvf lcov.tgz lcov
--- a/man/Makefile.in
+++ b/man/Makefile.in
@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
+# Makefile.in generated by automake 1.15.1 from Makefile.am.
 # @configure_input@
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+# Copyright (C) 1994-2017 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -284,7 +284,6 @@ pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
 runstatedir = @runstatedir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
--- a/man/man4/Makefile.in
+++ b/man/man4/Makefile.in
@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
+# Makefile.in generated by automake 1.15.1 from Makefile.am.
 # @configure_input@
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+# Copyright (C) 1994-2017 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -256,7 +256,6 @@ pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
 runstatedir = @runstatedir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
--- a/man/man4/twconfig.4
+++ b/man/man4/twconfig.4
@ -35,7 +35,7 @@
 ..
 .nh
 .ad l
-.TH TWCONFIG 4 "1 July 2000"
+.TH TWCONFIG 4 "04 Jan 2018" "Open Source Tripwire 2.4"
 .SH NAME
 twconfig \- \fITripwire\fP configuration file reference
 .SH DESCRIPTION
@ -215,6 +215,15 @@ parameter; reports displayed by other modes and other commands
 are not affected.
 .br
 Initial value:  \fI3\fP
 .IP \f(CWDBPRINTLEVEL\fP
 Specifies the default level of report produced by the \fBtwprint
 \(hy\(hyprint\(hydbfile\fP mode. Valid values for this option are 0 to
 2. The output
 level specified by this option can be overridden with the (\fB\(hyt\fP\ or\ \fB\(hy\(hyoutput\(hylevel\fP) option on the command line. If
 this variable is not included in the configuration file, the default
 output level is 2.
 .br
 Initial value:  \fI2\fP
 .IP \f(CWHASH_DIRECT_IO\fP
 Use direct i/o when hashing files. (Linux-only as of OST 2.4.3.2) 
 .br
@ -302,7 +311,7 @@ Permission is granted to copy and distribute modified versions of this man page
 .PP
 Permission is granted to copy and distribute translations of this man page into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by Tripwire, Inc.
 .PP
-Copyright 2000-2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
+Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
 .SH SEE ALSO
 .BR twintro (8),
 .BR tripwire (8),
--- a/man/man4/twpolicy.4
+++ b/man/man4/twpolicy.4
@ -36,7 +36,7 @@
 .\"
 .nh
 .ad l
-.TH TWPOLICY 4 "1 July 2000"
+.TH TWPOLICY 4 "04 Jan 2018" "Open Source Tripwire 2.4"
 .SH NAME
 twpolicy \- \fITripwire\fP policy file reference
 .SH DESCRIPTION
@ -537,7 +537,7 @@ Permission is granted to copy and distribute modified versions of this man page
 .PP
 Permission is granted to copy and distribute translations of this man page into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by Tripwire, Inc.
 .PP
-Copyright 2000-2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
+Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
 .SH SEE ALSO
 .BR twintro (8),
 .BR tripwire (8),
--- a/man/man5/Makefile.in
+++ b/man/man5/Makefile.in
@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
+# Makefile.in generated by automake 1.15.1 from Makefile.am.
 # @configure_input@
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+# Copyright (C) 1994-2017 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -256,7 +256,6 @@ pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
 runstatedir = @runstatedir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
--- a/man/man5/twfiles.5
+++ b/man/man5/twfiles.5
@ -25,7 +25,7 @@
 .\"
 .nh
 .ad l
-.TH TWFILES 5 "1 July 2000"
+.TH TWFILES 5 "04 Jan 2018" "Open Source Tripwire 2.4"
 .SH NAME
 twfiles \- overview of files used by \fITripwire\fR and file backup process
 .\"
@ -112,7 +112,7 @@ Permission is granted to copy and distribute modified versions of this man page
 .PP
 Permission is granted to copy and distribute translations of this man page into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by Tripwire, Inc.
 .PP
-Copyright 2000-2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
+Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
 .SH SEE ALSO
 .BR twintro (8),
 .BR tripwire (8),
--- a/man/man8/Makefile.in
+++ b/man/man8/Makefile.in
@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
+# Makefile.in generated by automake 1.15.1 from Makefile.am.
 # @configure_input@
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+# Copyright (C) 1994-2017 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -256,7 +256,6 @@ pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
 runstatedir = @runstatedir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
--- a/man/man8/siggen.8
+++ b/man/man8/siggen.8
@ -2,9 +2,9 @@
 .\" Do not move or remove previous line.
 .\" Used by some man commands to know that tbl should be used.
 .nh
-.TH SIGGEN 8 "19 Feb 2004"
+.TH SIGGEN 8 "04 Jan 2018" "Open Source Tripwire 2.4"
 .SH NAME
-siggen \- signature gathering routine for Tripwire
+siggen \- signature gathering utility for Tripwire
 .SH SYNOPSIS
 .B siggen
 [
@ -54,6 +54,8 @@ Display Haval value, a 128-bit hash code.
 .TP
 .IR file1 " [ " "file2... " ]
 List of filesystem objects for which to display values.
 .SH EXIT STATUS
 \fBsiggen\fP exits 0 on success, 1 on error.
 .SH VERSION INFORMATION
 This man page describes
 .B siggen
@ -67,7 +69,7 @@ Permission is granted to copy and distribute modified versions of this man page
 .PP
 Permission is granted to copy and distribute translations of this man page into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by Tripwire, Inc.
 .PP
-Copyright 2000-2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
+Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
 .SH SEE ALSO
 .BR twintro (8),
 .BR tripwire (8),
--- a/man/man8/tripwire.8
+++ b/man/man8/tripwire.8
@ -36,9 +36,9 @@
 .\"
 .nh
 .ad l
-.TH TRIPWIRE 8 "1 July 2000"
+.TH TRIPWIRE 8 "04 Jan 2018" "Open Source Tripwire 2.4"
 .SH NAME
-tripwire \- a file integrity checker for \s-1UNIX\s0 systems
+tripwire \- a file integrity checker for \s-1UNIX-like\s0 systems
 .SH SYNOPSIS
 .B tripwire
 .RB "{ " "-m i" " | " "--init" " } "  
@ -554,6 +554,19 @@ Mode selector.
 Use the specified email address.  This parameter must
 be supplied when test mode is used. Only one address
 may be specified.
 .SH EXIT STATUS
 .SS Integrity Checking Mode
 \fBtripwire\fP exits 0 if no changes are detected. Otherwise the exit value is a bit mask:
 .TP
 \fB1\fP At least one file or directory has been added.
 .TP
 \fB2\fP At least one file or directory has been modified.
 .TP
 \fB4\fP At least one file or directory has been modified.
 .TP
 \fB8\fP Error(s) occurred during the check.
 .SS All Other Modes
 \fBtripwire\fP exits 0 on success, 8 on error.
 .SH VERSION INFORMATION
 This man page describes
 .B tripwire
@ -567,7 +580,7 @@ Permission is granted to copy and distribute modified versions of this man page
 .PP
 Permission is granted to copy and distribute translations of this man page into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by Tripwire, Inc.
 .PP
-Copyright 2000-2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
+Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
 .SH SEE ALSO
 .BR twintro (8),
 .BR twadmin (8),
--- a/man/man8/twadmin.8
+++ b/man/man8/twadmin.8
@ -17,7 +17,7 @@
 .in \\n(.iu
 ..
 .ad l
-.TH TWADMIN 8 "1 July 2000"
+.TH TWADMIN 8 "04 Jan 2018" "Open Source Tripwire 2.4"
 .SH NAME
 twadmin \- Tripwire administrative and utility tool
 .SH SYNOPSIS
@ -538,6 +538,8 @@ file.
 Specify passphrase used to decrypt the private key in the specified sitekey
 file.
 .\" *****************************************
 .SH EXIT STATUS
 \fBtwadmin\fP exits 0 on success, 1 on error.
 .SH VERSION INFORMATION
 This man page describes
 .B twadmin
@ -551,7 +553,7 @@ Permission is granted to copy and distribute modified versions of this man page
 .PP
 Permission is granted to copy and distribute translations of this man page into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by Tripwire, Inc.
 .PP
-Copyright 2000-2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
+Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
 .SH SEE ALSO
 .BR twintro (8),
 .BR tripwire (8),
--- a/man/man8/twintro.8
+++ b/man/man8/twintro.8
@ -16,12 +16,12 @@
 .\"
 .nh
 .ad l
-.TH TWINTRO 8 "1 July 2000"
+.TH TWINTRO 8 "04 Jan 2018" "Open Source Tripwire 2.4"
 .SH NAME
 twintro \- introduction to \fITripwire\fP software
 .SH DESCRIPTION
 .PP
-\fITripwire 2.4\fP is a file integrity assessment product for Linux networks.  Rather than preventing an intruder or virus
+\fITripwire 2.4\fP is a file integrity assessment tool for UNIX-like systems.  Rather than preventing an intruder or virus
 from attacking system files, \fITripwire\fP detects intrusions when
 they do occur. By comparing system files and directories against a
 previously stored "baseline" database, \fITripwire\fP finds any
@ -99,7 +99,7 @@ Permission is granted to copy and distribute modified versions of this man page
 .PP
 Permission is granted to copy and distribute translations of this man page into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by Tripwire, Inc.
 .PP
-Copyright 2000-2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
+Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
 .SH SEE ALSO
 .BR tripwire (8),
 .BR twadmin (8),
--- a/man/man8/twprint.8
+++ b/man/man8/twprint.8
@ -2,7 +2,7 @@
 .\" Do not move or remove previous line.
 .\" Used by some man commands to know that tbl should be used.
 .ad l
-.TH TWPRINT 8 "1 July 2000"
+.TH TWPRINT 8 "04 Jan 2018" "Open Source Tripwire 2.4"
 .nh
 .SH NAME
 twprint \- Tripwire database and report printer
@ -10,6 +10,9 @@ twprint \- Tripwire database and report printer
 .B twprint
 .RB "{ " "-m r" " | " "--print-report" " } "
 .RI "[ " options... " ]"
 .if n .br
 .if n .ti +.5i
 .RI " [ " "object1" " [ " "object2..." " ]]"
 .br
 .B twprint
 .RB "{ " "-m d" " | " "--print-dbfile" " } "
@ -59,6 +62,7 @@ lbw(1.2i) lb.
 -L \fIlocalkey\fP	--local-keyfile \fIlocalkey\fP
 -t \fR{ 0|1|2|3|4 }\fP	--report-level \fR{ 0|1|2|3|4 }\fP
 .TE
 .RI "[ " "object1" " [ " "object2..." " ]]"
 .RE
 .TP
 .BR "\(hym r" ", " --print-report
@ -83,10 +87,15 @@ Print the specified report file.
 Use the specified local key file to perform verification
 with reports which are signed.
 .TP
-.BI \(hyt " level\fR, " --report-level " level
+.BI \(hyt " level\fR, " --report-level " level"
 Specifies the detail level of the printed report, overriding the
 \f(CWREPORTLEVEL\fP variable in the configuration
 file. \fIlevel\fR must be a number from 0\ to\ 4.
 .TP
 .RI "[ " "object1" " [ " "object2..." " ]]"
 List of filesystem objects in the report to print. If no
 objects are specified, every object in the report will
 be printed. 
 .\" *****************************************
 .SS Database printing mode:
 .RS 0.4i
@ -100,6 +109,7 @@ lbw(1.2i) lb.
 -c \fIcfgfile\fP	--cfgfile \fIcfgfile\fP
 -d \fIdatabase\fP	--dbfile \fIdatabase\fP
 -L \fIlocalkey\fP	--local-keyfile \fIlocalkey\fP
 -t \fR{ 0|1|2 }\fP	--output-level \fR{ 0|1|2 }\fP
 .TE
 .RI "[ " "object1" " [ " "object2..." " ]]"
 .RE
@ -125,6 +135,11 @@ Print the specified database file.
 .BI \(hyL " localkey\fR, " --local-keyfile " localkey"
 Use the specified local key file to read the database.
 .TP
 .BI \(hyt " level\fR, " --output-level " level"
 Specifies the detail level of the printed database, overriding the
 \f(CWDBPRINTLEVEL\fP variable in the configuration
 file. \fIlevel\fR must be a number from 0\ to\ 2.
 .TP
 .RI "[ " "object1" " [ " "object2..." " ]]"
 List of filesystem objects in the database to print. If no
 objects are specified, every object in the database will
@ -132,6 +147,8 @@ be printed. The format for a list of objects is:
 .if n .I "section: objname objname... section: objname..."
 .if t .br
 .if t .I "section: objectname objectname... section: objectname..."
 .SH EXIT STATUS
 \fBtwprint\fP exits 0 on success, 1 on error.
 .SH VERSION INFORMATION
 This man page describes
 .B twprint
@ -145,7 +162,7 @@ Permission is granted to copy and distribute modified versions of this man page
 .PP
 Permission is granted to copy and distribute translations of this man page into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by Tripwire, Inc.
 .PP
-Copyright 2000-2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
+Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
 .SH SEE ALSO
 .BR twintro (8),
 .BR tripwire (8),
--- a/policy/policyguide.txt
+++ b/policy/policyguide.txt
@ -191,7 +191,7 @@ $(DIR1) -> $(param1);                   # It is also possible to do a
 #=============================================================================
 #
-# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
+# Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
 # Inc. All rights reserved.
 #
 # Linux is a registered trademark of Linus Torvalds.
--- a/policy/twpol-AIX.txt
+++ b/policy/twpol-AIX.txt
@ -60,13 +60,14 @@ HOSTNAME=;
 #
 ##############################################################################
-Device        = +pugsdr-intlbamcCMSH ;
+SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
-Dynamic       = +pinugtd-srlbamcCMSH ;
+SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
-Growing       = +pinugtdl-srbamcCMSH ;
+SEC_GROWING       = +pinugtdl-srbamcCMSH ;
-IgnoreAll     = -pinugtsdrlbamcCMSH ;
+SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
-IgnoreNone    = +pinugtsdrbamcCMSH-l ;
+SEC_IGNORE_NONE   = +pinugtsdrbamcCMSH-l ;
-ReadOnly      = +pinugtsdbmCM-rlacSH ;
+SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
-Temporary     = +pugt ;
+SEC_TEMPORARY     = +pugt ;
@@section FS 
@ -83,10 +84,10 @@ Temporary     = +pugt ;
  rulename = "Tripwire Binaries",
 )
 {
-  $(TWBIN)/siggen                      -> $(ReadOnly) ;
+  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
-  $(TWBIN)/tripwire                    -> $(ReadOnly) ;
+  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
-  $(TWBIN)/twadmin                     -> $(ReadOnly) ;
+  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
-  $(TWBIN)/twprint                     -> $(ReadOnly) ;
+  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -103,14 +104,14 @@ Temporary     = +pugt ;
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
-  $(TWDB)                              -> $(Dynamic) -i ;
+  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
-  $(TWPOL)/tw.pol                      -> $(ReadOnly) -i ;
+  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
-  $(TWPOL)/tw.cfg                      -> $(ReadOnly) -i ;
+  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
-  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(ReadOnly) ;
+  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
-  $(TWSKEY)/site.key                   -> $(ReadOnly) ;
+  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
  # don't scan the individual reports
-  $(TWREPORT)                          -> $(Dynamic) (recurse=0) ;
+  $(TWREPORT)                          -> $(SEC_DYNAMIC) (recurse=0) ;
 }
  ################################################
@ -124,7 +125,7 @@ Temporary     = +pugt ;
  rulename = "OS Boot and Configuration Files",
 )
 {
-  /etc                          -> $(IgnoreNone) -SHa ;
+  /etc                          -> $(SEC_IGNORE_NONE) -SHa ;
 }
  ###################################################
@ -138,9 +139,9 @@ Temporary     = +pugt ;
  rulename = "Mount Points",
 )
 {
-  /                             -> $(ReadOnly) ;
+  /                             -> $(SEC_READONLY) ;
-  /usr                          -> $(ReadOnly) ;
+  /usr                          -> $(SEC_READONLY) ;
-  /var                          -> $(ReadOnly) ;
+  /var                          -> $(SEC_READONLY) ;
 }
  ###################################################
@ -154,10 +155,10 @@ Temporary     = +pugt ;
  rulename = "Misc Top-Level Directories",
 )
 {
-  /lost+found                   -> $(ReadOnly) ;
+  /lost+found                   -> $(SEC_READONLY) ;
-  /hacmplocal                   -> $(ReadOnly) ;
+  /hacmplocal                   -> $(SEC_READONLY) ;
-  /homelocal                    -> $(ReadOnly) ;
+  /homelocal                    -> $(SEC_READONLY) ;
-  /opt                          -> $(ReadOnly) ;
+  /opt                          -> $(SEC_READONLY) ;
  !/var/adm/csd	;
 }
@ -172,7 +173,7 @@ Temporary     = +pugt ;
  rulename = "System Devices",
 )
 {
-  /dev                          -> $(Device) ;
+  /dev                          -> $(SEC_DEVICE) ;
 }
  ################################################
@ -186,10 +187,10 @@ Temporary     = +pugt ;
  rulename = "OS Binaries and Libraries",
 )
 {
-  /sbin                         -> $(ReadOnly) ;
+  /sbin                         -> $(SEC_READONLY) ;
-  /usr/bin                      -> $(ReadOnly) ;
+  /usr/bin                      -> $(SEC_READONLY) ;
-  /usr/lib                      -> $(ReadOnly) ;
+  /usr/lib                      -> $(SEC_READONLY) ;
-  /usr/sbin                     -> $(ReadOnly) ;
+  /usr/sbin                     -> $(SEC_READONLY) ;
 }
  ################################################
@ -203,11 +204,11 @@ Temporary     = +pugt ;
  rulename = "Root Directory and Files",
 )
 {
-  #/.dtprofile                    -> $(Dynamic) ;
+  #/.dtprofile                    -> $(SEC_DYNAMIC) ;
  ! /.netscape/cache ; 
-  /.netscape/history.dat         -> $(Dynamic) ;
+  /.netscape/history.dat         -> $(SEC_DYNAMIC) ;
-  /.sh_history                   -> $(Dynamic) ;
+  /.sh_history                   -> $(SEC_DYNAMIC) ;
-  #/.Xauthority                   -> $(ReadOnly) ;
+  #/.Xauthority                   -> $(SEC_READONLY) ;
 }
  ################################################
@ -221,8 +222,8 @@ Temporary     = +pugt ;
  rulename = "Temporary Directories",
 )
 {
-  /tmp                          -> $(Temporary) ;
+  /tmp                          -> $(SEC_TEMPORARY) ;
-  /var/tmp                      -> $(Temporary) ;
+  /var/tmp                      -> $(SEC_TEMPORARY) ;
 }
  ################################################
@ -251,31 +252,31 @@ Temporary     = +pugt ;
  rulename = "System and Boot Changes",
 )
 {
-  /etc/es/objrepos		-> $(ReadOnly) -SHacm ;
+  /etc/es/objrepos		-> $(SEC_READONLY) -SHacm ;
-  /etc/es/objrepos/HACMPresource -> $(ReadOnly) -SHCMcm ;
+  /etc/es/objrepos/HACMPresource -> $(SEC_READONLY) -SHCMcm ;
-  /etc/lpp/diagnostics/data 	-> $(ReadOnly) -SHCMacm ;
+  /etc/lpp/diagnostics/data 	-> $(SEC_READONLY) -SHCMacm ;
-  /etc/ntp.drift		-> $(ReadOnly) -SHiacm ;
+  /etc/ntp.drift		-> $(SEC_READONLY) -SHiacm ;
  !/etc/objrepos ;
-  /etc/security			-> $(ReadOnly) -SHacm ;
+  /etc/security			-> $(SEC_READONLY) -SHacm ;
-  /usr/es/adm/cluster.log	-> $(ReadOnly) -SHCMsbm ;
+  /usr/es/adm/cluster.log	-> $(SEC_READONLY) -SHCMsbm ;
-  /usr/es/sbin/cluster/etc/objrepos/active -> $(ReadOnly) -SHim ;
+  /usr/es/sbin/cluster/etc/objrepos/active -> $(SEC_READONLY) -SHim ;
  !/usr/etc/sbin/cluster/history ;
-  /usr/share/lib/objrepos      -> $(ReadOnly) -m ;
+  /usr/share/lib/objrepos      -> $(SEC_READONLY) -m ;
-  /usr/lib/objrepos      -> $(ReadOnly) -m ;
+  /usr/lib/objrepos      -> $(SEC_READONLY) -m ;
  !/var/adm/SPlogs ;
-  /var/ha/log                      -> $(Growing) -i ;
+  /var/ha/log                      -> $(SEC_GROWING) -i ;
  !/var/adm ;
  !/var/ct ;
-  #/var/backups                    -> $(Dynamic) -i ;
+  #/var/backups                    -> $(SEC_DYNAMIC) -i ;
-  #/var/db/host.random             -> $(ReadOnly) -mCM ;
+  #/var/db/host.random             -> $(SEC_READONLY) -mCM ;
-  #/var/db/locate.database         -> $(ReadOnly) -misCM ;
+  #/var/db/locate.database         -> $(SEC_READONLY) -misCM ;
-  #/var/cron                       -> $(Growing) -i ;
+  #/var/cron                       -> $(SEC_GROWING) -i ;
-  #/var/log                        -> $(Growing) -i ;
+  #/var/log                        -> $(SEC_GROWING) -i ;
-  #/var/run                        -> $(Dynamic) -i ;
+  #/var/run                        -> $(SEC_DYNAMIC) -i ;
-  #/var/mail                       -> $(Growing) ;
+  #/var/mail                       -> $(SEC_GROWING) ;
-  #/var/msgs/bounds                -> $(ReadOnly) -smbCM ;
+  #/var/msgs/bounds                -> $(SEC_READONLY) -smbCM ;
-  #/var/spool/clientmqueue         -> $(Temporary) ;
+  #/var/spool/clientmqueue         -> $(SEC_TEMPORARY) ;
-  #/var/spool/mqueue               -> $(Temporary) ;
+  #/var/spool/mqueue               -> $(SEC_TEMPORARY) ;
  #!/var/tmp/vi.recover ;           # perl script periodically removes this
 }
--- a/policy/twpol-AROS.txt
+++ b/policy/twpol-AROS.txt
@ -0,0 +1,132 @@
 ###############################################################################
 #                                                                            ##
 #    Default Tripwire 2.4 Policy file for AROS                               ##
 #                                                                            ##
 ###############################################################################
 ###############################################################################
 #                                                                            ##
 # Global Variable Definitions                                                ##
 #                                                                            ##
 # These are defined at install time by the installation script.  You may     ##
 # Manually edit these if you are using this file directly and not from the   ##
 # installation script itself.                                                ##
 #                                                                            ##
 ###############################################################################
@@section GLOBAL
 TWROOT=;
 TWBIN=;
 TWPOL=;
 TWDB=;
 TWSKEY=;
 TWLKEY=;
 TWREPORT=;
 HOSTNAME=;
 ##############################################################################
 #  Predefined Variables                                                      #
 ##############################################################################
 #
 #  Property Masks
 #
 #  -  ignore the following properties
 #  +  check the following properties
 #
 #  a  access timestamp (mutually exclusive with +CMSH)
 #  b  number of blocks allocated
 #  c  inode creation/modification timestamp
 #  d  ID of device on which inode resides
 #  g  group id of owner
 #  i  inode number
 #  l  growing files (logfiles for example)
 #  m  modification timestamp
 #  n  number of links
 #  p  permission and file mode bits
 #  r  ID of device pointed to by inode (valid only for device objects)
 #  s  file size
 #  t  file type
 #  u  user id of owner
 #
 #  C  CRC-32 hash
 #  H  HAVAL hash
 #  M  MD5 hash
 #  S  SHA hash
 #
 ##############################################################################
 SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
 SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
 SEC_GROWING       = +pinugtdl-srbamcCMSH ;
 SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
 SEC_IGNORE_NONE    = +pinugtsdrbamcCMSH-l ;
 SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
 SEC_TEMPORARY       = +pugt ;
@@section FS 
 #########################################
 #                                      ##
 #  Tripwire Binaries and Data Files    ##
 #                                      ##
 #########################################
 # Tripwire Binaries
 (
  rulename = "Tripwire Binaries",
 )
 {
  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
 (
  rulename = "Tripwire Data Files",
 )
 {
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.
  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
  # don't scan the individual reports
  $(TWREPORT)                          -> $(SEC_DYNAMIC) (recurse=0) ;
 }
 ##############################################################################
 (rulename="OS Files",)
 {
  AROS:System -> $(SEC_READONLY);
  AROS:Devs -> $(SEC_READONLY);
  AROS:Libs -> $(SEC_READONLY);
  AROS:Tools-> $(SEC_READONLY);
  AROS:Prefs -> $(SEC_READONLY);
  AROS:Utilities -> $(SEC_READONLY);
  AROS:WBStartup -> $(SEC_READONLY);
 }
 (rulename="Development Tools",)
 {
  Work:Development -> $(SEC_READONLY);
 }
 (rulename="Extras",)
 {
  Work:Extras -> $(SEC_READONLY);
 }
--- a/policy/twpol-Bitrig.txt
+++ b/policy/twpol-Bitrig.txt
@ -0,0 +1,292 @@
  ##############################################################################
 #                                                                            ##
 ############################################################################## #
 #                                                                            # #
 #                      Tripwire 2.4 policy for Bitrig                        # #
 #                            updated March 2018                              # #
 #                                                                            ##
 ##############################################################################
  ##############################################################################
 #                                                                            ##
 ############################################################################## #
 #                                                                            # #
 # Global Variable Definitions                                                # #
 #                                                                            # #
 # These are defined at install time by the installation script.  You may     # #
 # manually edit these if you are using this file directly and not from the   # #
 # installation script itself.                                                # #
 #                                                                            ##
 ##############################################################################
@@section GLOBAL
 TWROOT=;
 TWBIN=;
 TWPOL=;
 TWDB=;
 TWSKEY=;
 TWLKEY=;
 TWREPORT=;
 HOSTNAME=;
  ##############################################################################
 #  Predefined Variables                                                      #
 ##############################################################################
 #
 #  Property Masks
 #
 #  -  ignore the following properties
 #  +  check the following properties
 #
 #  a  access timestamp (mutually exclusive with +CMSH)
 #  b  number of blocks allocated
 #  c  inode creation/modification timestamp
 #  d  ID of device on which inode resides
 #  g  group id of owner
 #  i  inode number
 #  l  growing files (logfiles for example)
 #  m  modification timestamp
 #  n  number of links
 #  p  permission and file mode bits
 #  r  ID of device pointed to by inode (valid only for device objects)
 #  s  file size
 #  t  file type
 #  u  user id of owner
 #
 #  C  CRC-32 hash
 #  H  HAVAL hash
 #  M  MD5 hash
 #  S  SHA hash
 #
 ##############################################################################
 SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
 SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
 SEC_GROWING       = +pinugtdl-srbamcCMSH ;
 SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
 SEC_IGNORE_NONE   = +pinugtsdrbamcCMSH-l ;
 SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
 SEC_TEMPORARY     = +pugt ;
@@section FS 
  ########################################
 #                                      ##
 ######################################## #
 #                                      # #
 #  Tripwire Binaries and Data Files    # #
 #                                      ##
 ########################################
 # Tripwire Binaries
 (
  rulename = "Tripwire Binaries",
 )
 {
  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
 (
  rulename = "Tripwire Data Files",
 )
 {
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.
  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
  # don't scan the individual reports
  $(TWREPORT)                          -> $(SEC_DYNAMIC) (recurse=0) ;
  # In this configuration /usr/local is a symbolic link to /home/local.
  # We want to ignore the following directories since they are already
  # scanned using the real directory or mount point.  Otherwise we see
  # duplicates in the reports.
  !/home/local ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  OS Boot and Configuration Files             # #
 #                                              ##
 ################################################
 (
  rulename = "OS Boot and Configuration Files",
 )
 {
  /boot                         -> $(SEC_READONLY) ;
  /bsd                          -> $(SEC_READONLY) ;
  /etc                          -> $(SEC_IGNORE_NONE) -SHa ;
 }
  ###################################################
 #                                                 ##
 ################################################### #
 #                                                 # #
 #  Mount Points                                   # #
 #                                                 ##
 ###################################################
 (
  rulename = "Mount Points",
 )
 {
  /                             -> $(SEC_READONLY) ;
  /cdrom                        -> $(SEC_DYNAMIC) ;
  /floppy                       -> $(SEC_DYNAMIC) ;
  /home                         -> $(SEC_READONLY) ;  # Modify as needed
  /mnt                          -> $(SEC_DYNAMIC) ;
  /usr                          -> $(SEC_READONLY) ;
  /var                          -> $(SEC_READONLY) ;
 }
  ###################################################
 #                                                 ##
 ################################################### #
 #                                                 # #
 #  Misc Top-Level Directories                     # #
 #                                                 ##
 ###################################################
 (
  rulename = "Misc Top-Level Directories",
 )
 {
  /altroot                      -> $(SEC_DYNAMIC) ;
  /stand                        -> $(SEC_DYNAMIC) ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #   System Devices                             # #
 #                                              ##
 ################################################
 (
  rulename = "System Devices",
 )
 {
  /dev                          -> $(SEC_DEVICE) ;
  /dev/fd                       -> $(SEC_DEVICE) ;
  /var/cron/tabs/.sock          -> $(SEC_DEVICE) ; 
  /var/empty/dev/log            -> $(SEC_DEVICE) ; 
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  OS Binaries and Libraries                   # #   
 #                                              ##
 ################################################
 (
  rulename = "OS Binaries and Libraries",
 )
 {
  /bin                          -> $(SEC_READONLY) ;
  /sbin                         -> $(SEC_READONLY) ;
  /usr/bin                      -> $(SEC_READONLY) ;
  /usr/lib                      -> $(SEC_READONLY) ;
  /usr/libexec                  -> $(SEC_READONLY) ;
  /usr/sbin                     -> $(SEC_READONLY) ;
  /usr/X11R6/bin                -> $(SEC_READONLY) ;
  /usr/X11R6/lib                -> $(SEC_READONLY) ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  Usr Local Files                             # #   
 #                                              ##
 ################################################
 #OK(
  #OKrulename = "Usr Local Files",
 #OK)
 #OK{
  #OK/usr/local                    -> $(SEC_READONLY) ;
  #OK/usr/local/bin                -> $(SEC_READONLY) ;
  #OK/usr/local/doc                -> $(SEC_READONLY) ;
  #OK/usr/local/etc                -> $(SEC_READONLY) ;
  #OK/usr/local/include            -> $(SEC_READONLY) ;
  #OK/usr/local/info               -> $(SEC_READONLY) ;
  #OK/usr/local/lib                -> $(SEC_READONLY) ;
  #OK/usr/local/libdata            -> $(SEC_READONLY) ;
  #OK/usr/local/libexec            -> $(SEC_READONLY) ;
  #OK/usr/local/man                -> $(SEC_READONLY) ;
  #OK/usr/local/sbin               -> $(SEC_READONLY) ;
  #OK/usr/local/share              -> $(SEC_READONLY) ;
  #OK/usr/local/src                -> $(SEC_READONLY) ;
 #OK}
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  Root Directory and Files                    # #
 #                                              ##
 ################################################
 (
  rulename = "Root Directory and Files",
 )
 {
  /root                          -> $(SEC_IGNORE_NONE) -SHa ;
  /root/.cshrc                   -> $(SEC_DYNAMIC) ;
  /root/.profile                 -> $(SEC_DYNAMIC) ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  Temporary Directories                       # #
 #                                              ##
 ################################################
 (
  rulename = "Temporary Directories",
 )
 {
  /tmp                          -> $(SEC_TEMPORARY) ;
  /var/tmp                      -> $(SEC_TEMPORARY) ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  System and Boot Changes                     # #
 #                                              ##
 ################################################
 (
  rulename = "System and Boot Changes",
 )
 {
  /var/backups                    -> $(SEC_DYNAMIC) -i ;
  /var/db/host.random             -> $(SEC_READONLY) -mCM ;
  /var/cron                       -> $(SEC_GROWING) -i ;
  /var/log                        -> $(SEC_GROWING) -i ;
  /var/run                        -> $(SEC_DYNAMIC) -i ;
  /var/mail                       -> $(SEC_GROWING) ;
  /var/msgs/bounds                -> $(SEC_READONLY) -smbCM ;
  /var/spool/clientmqueue         -> $(SEC_TEMPORARY) ;
  /var/spool/mqueue               -> $(SEC_TEMPORARY) ;
 }
 #
 # $Id: twpol-OpenBSD.txt,v 1.2 2004/05/14 21:56:21 pherman Exp $
 #
--- a/policy/twpol-Cygwin.txt
+++ b/policy/twpol-Cygwin.txt
@ -0,0 +1,163 @@
 ###############################################################################
 #                                                                            ##
 #    Default Tripwire 2.4 Policy file for Cygwin                             ##
 #                                                                            ##
 ###############################################################################
 ###############################################################################
 #                                                                            ##
 # Global Variable Definitions                                                ##
 #                                                                            ##
 # These are defined at install time by the installation script.  You may     ##
 # Manually edit these if you are using this file directly and not from the   ##
 # installation script itself.                                                ##
 #                                                                            ##
 ###############################################################################
@@section GLOBAL
 TWROOT=;
 TWBIN=;
 TWPOL=;
 TWDB=;
 TWSKEY=;
 TWLKEY=;
 TWREPORT=;
 HOSTNAME=;
 ##############################################################################
 #  Predefined Variables                                                      #
 ##############################################################################
 #
 #  Property Masks
 #
 #  -  ignore the following properties
 #  +  check the following properties
 #
 #  a  access timestamp (mutually exclusive with +CMSH)
 #  b  number of blocks allocated
 #  c  inode creation/modification timestamp
 #  d  ID of device on which inode resides
 #  g  group id of owner
 #  i  inode number
 #  l  growing files (logfiles for example)
 #  m  modification timestamp
 #  n  number of links
 #  p  permission and file mode bits
 #  r  ID of device pointed to by inode (valid only for device objects)
 #  s  file size
 #  t  file type
 #  u  user id of owner
 #
 #  C  CRC-32 hash
 #  H  HAVAL hash
 #  M  MD5 hash
 #  S  SHA hash
 #
 ##############################################################################
 SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
 SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
 SEC_GROWING       = +pinugtdl-srbamcCMSH ;
 SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
 SEC_IGNORE_NONE   = +pinugtsdrbamcCMSH-l ;
 SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
 SEC_TEMPORARY     = +pugt ;
@@section FS 
 #########################################
 #                                      ##
 #  Tripwire Binaries and Data Files    ##
 #                                      ##
 #########################################
 # Tripwire Binaries
 (
  rulename = "Tripwire Binaries",
 )
 {
  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
 (
  rulename = "Tripwire Data Files",
 )
 {
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.
  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
  # don't scan the individual reports
  $(TWREPORT)                          -> $(SEC_DYNAMIC) (recurse=0) ;
 }
 ##############################################################################
 (rulename="Binary files",)
 {
  /bin -> $(SEC_READONLY) -a;
  /usr/bin -> $(SEC_READONLY) -a;
  /usr/local/bin -> $(SEC_READONLY) -a;
 }
 (rulename="Development",)
 {
  /usr/x86_64-pc-cygwin -> $(SEC_READONLY) -a;
 }
 (rulename="Libexec",)
 {
  /usr/libexec -> $(SEC_READONLY) -a;
 }
 (rulename="Admin binaries",)
 {
  /sbin -> $(SEC_READONLY) -a;
  /usr/sbin -> $(SEC_READONLY) -a;
 }
 (rulename="Libraries",)
 {
  /lib -> $(SEC_READONLY) -a;
  /usr/lib -> $(SEC_READONLY) -a;
  /usr/local/lib -> $(SEC_READONLY) -a;
 }
 (rulename="Etc",)
 {
  /etc -> $(SEC_READONLY) -a;
  /usr/local/etc -> $(SEC_READONLY) -a;
 }
 (rulename="Dev",)
 {
  /dev -> $(SEC_DEVICE);
 }
 (rulename="Tmp",)
 {
  /tmp -> $(SEC_TEMPORARY);
  /var/tmp -> $(SEC_TEMPORARY);
  /usr/tmp -> $(SEC_TEMPORARY);
 }
 (rulename="Log",)
 {
  /var/log -> $(SEC_GROWING);
 }
--- a/policy/twpol-Darwin.txt
+++ b/policy/twpol-Darwin.txt
@ -2,8 +2,8 @@
 #                                                                            ##
 ############################################################################## #
 #                                                                            # #
-#                    Policy file for Mac OS X                                # #
+#                 Tripwire 2.4 policy for Mac OS X                           # #
-#                        September 3, 2003                                   # #
+#                       updated March 2018                                   # #
 #                                                                            ##
 ##############################################################################
@ -28,7 +28,7 @@ TWDB=;
 TWSKEY=;
 TWLKEY=;
 TWREPORT=;
-#USER1=frodo ;
+HOSTNAME=;
  ##############################################################################
@ -67,9 +67,10 @@ SEC_DYNAMIC       = +pinugt-dsrlbamcCMSH ;
 SEC_READONLY      = +pinugtsbmCM-drlacSH ;
 SEC_GROWING       = +pinugtl-dsrbamcCMSH ;
-IgnoreAll     = -pinugtsdrlbamcCMSH ;
+SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
-IgnoreNone    = +pinugtsdrbamcCMSH-l ;
+SEC_IGNORE_NONE    = +pinugtsdrbamcCMSH-l ;
-Temporary     = +pugt ;
+SEC_TEMPORARY     = +pugt ;
@@section FS 
@ -109,7 +110,7 @@ Temporary     = +pugt ;
  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
-  $(TWLKEY)/local.key                  -> $(SEC_READONLY) ;
+  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
  # don't scan the individual reports
@ -129,14 +130,14 @@ Temporary     = +pugt ;
  rulename = "OS Boot and Configuration Files", severity=100
 )
 {
-  /mach.sym                               -> $(SEC_READONLY)-im ;
+ #/mach.sym                               -> $(SEC_READONLY)-im ;
  /mach_kernel                            -> $(SEC_READONLY) ;
  /private/etc                            -> $(SEC_READONLY)-m ;
 #/private/etc/appletalk.cfg              -> $(SEC_READONLY)-im ;
 #/private/etc/appletalk.nvram.en0        -> $(SEC_DYNAMIC) ;
  /private/etc/cups/certs                 -> $(SEC_DYNAMIC) -i(recurse=0) ;
-  /private/etc/smb.conf                   -> $(SEC_READONLY)-im ;
+ #/private/etc/smb.conf                   -> $(SEC_READONLY)-im ;
  /Library                                -> $(SEC_READONLY) ;
  /System                                 -> $(SEC_READONLY) ;
@ -182,8 +183,6 @@ Temporary     = +pugt ;
 )
 {
  /dev                          -> $(SEC_DEVICE)(recurse=0) ;
 #/private/var/cron/tabs/.sock  -> $(SEC_DEVICE) ; 
 }
  ################################################
@ -203,8 +202,8 @@ Temporary     = +pugt ;
  /usr/lib                      -> $(SEC_READONLY) ;
  /usr/libexec                  -> $(SEC_READONLY) ;
  /usr/sbin                     -> $(SEC_READONLY) ;
- #/usr/X11R6                    -> $(SEC_READONLY)(recurse=2) ;   # May not be present
+  /usr/X11                      -> $(SEC_READONLY)(recurse=2) ;   # May not be present
- #/usr/X11R6/man                -> $(SEC_DYNAMIC)-i(recurse=1) ;  # May not be present
+ #/usr/X11/man                  -> $(SEC_DYNAMIC)-i(recurse=1) ;  # May not be present
  /usr/share                    -> $(SEC_READONLY) ;
  /usr/share/man                -> $(SEC_DYNAMIC)-i(recurse=1) ;
@ -223,12 +222,6 @@ Temporary     = +pugt ;
 )
 {
   /Applications                -> $(SEC_READONLY)-im(recurse=2) ;
  "/Applications (Mac OS 9)"    -> $(SEC_READONLY) ;
  !/Applications/Internet/P2P/Downloads ;
  !/Applications/Games/"Warcraft III Folder"/Save ;
 }
  ################################################
@ -243,10 +236,19 @@ Temporary     = +pugt ;
 )
 {
  /usr/local                    -> $(SEC_READONLY) ;
- #/usr/local/bin                -> $(SEC_READONLY) ;
+  /usr/local/sbin               -> $(SEC_READONLY) ;
  /usr/local/bin                -> $(SEC_READONLY) ;
  /usr/local/include            -> $(SEC_READONLY) ;
  /usr/local/opt                -> $(SEC_READONLY) ;
  /usr/local/libexec            -> $(SEC_READONLY) ;
  /usr/local/lib                -> $(SEC_READONLY) ;
  /usr/local/etc                -> $(SEC_READONLY) ;
- #/usr/local/sbin               -> $(SEC_READONLY) ;
+  /usr/local/share              -> $(SEC_READONLY) ;
- #/usr/local/share              -> $(SEC_READONLY) ;
+  /usr/local/man                -> $(SEC_READONLY) ;
  /usr/local/Frameworks         -> $(SEC_READONLY) ;
  # Homebrew
  /usr/local/.git               -> $(SEC_READONLY) ;
  /usr/local/Cellar             -> $(SEC_READONLY) ;
 }
@ -263,24 +265,26 @@ Temporary     = +pugt ;
 {
  /private/tmp                                 -> $(SEC_DYNAMIC)-in(recurse=0) ;
  /private/tftpboot                            -> $(SEC_READONLY)-i ;
  /private/var                                 -> $(SEC_READONLY)-i ;
  /private/var/backups                         -> $(SEC_READONLY)-imc(severity=100) ;
 #/private/var/backups/local.nidump            -> $(SEC_DYNAMIC) -i(severity=100) ;
 #/private/var/cron                            -> $(SEC_DYNAMIC) -i ;
  /private/var/db                              -> $(SEC_READONLY)-im ;
  /private/var/db/BootCache.playlist           -> $(SEC_DYNAMIC) -i ;
-  /private/var/db/netinfo/local.nidb/Store.384 -> $(SEC_READONLY)-imc(severity=100) ;
+ #/private/var/db/netinfo/local.nidb/Store.384 -> $(SEC_READONLY)-imc(severity=100) ;
 #/private/var/db/netinfo/local.nidb/Store.672 -> $(SEC_READONLY)-imc(severity=100) ;
-  /private/var/db/prebindOnDemandBadFiles      -> $(SEC_DYNAMIC) -i ;
+ #/private/var/db/prebindOnDemandBadFiles      -> $(SEC_DYNAMIC) -i ;
  /private/var/log                             -> $(SEC_DYNAMIC) -i ;
 #/private/var/mail                            -> $(SEC_DYNAMIC) ;
  /private/var/msgs/bounds                     -> $(SEC_READONLY)-smbCM ;
  /private/var/root/Library/Caches             -> $(SEC_DYNAMIC) -i ;
  /private/var/run                             -> $(SEC_DYNAMIC) -i(rulename="Running Services") ;
 #/private/var/slp.regfile                     -> $(SEC_READONLY)-im ;
-  /private/var/spool/clientmqueue              -> $(SEC_DYNAMIC)(recurse=0) ;
+ #/private/var/spool/clientmqueue              -> $(SEC_DYNAMIC)(recurse=0) ;
  /private/var/spool/mqueue                    -> $(SEC_DYNAMIC)(recurse=0) ;
-  /private/var/spool/lock                      -> $(SEC_DYNAMIC) -i(recurse=1) ;
+ #/private/var/spool/lock                      -> $(SEC_DYNAMIC) -i(recurse=1) ;
  /private/var/spool/cups                      -> $(SEC_DYNAMIC) -i(recurse=0) ;
  /private/var/tmp                             -> $(SEC_DYNAMIC) -i(recurse=0) ;
  /private/var/vm                              -> $(SEC_DYNAMIC)(recurse=0) ;
@ -294,37 +298,19 @@ Temporary     = +pugt ;
 !/private/var/db/dhcpd_leases ;
 !/private/var/db/locate.database ;
 !/private/var/db/SystemEntropyCache ;
 !/private/var/db/mds/messages/se_SecurityMessages ;
 !/private/var/db/samba/secrets.tdb ;
-
+ !/private/var/db/ntp.drift ;
 !/private/var/folders ;
 !/private/var/vm/sleepimage ;
 !/private/var/vm/swap0 ;
 !/private/var/vm/swap[1-9][0-9]* ;
 # Sophos
 !/Library/Caches/com.sophos.sau ;
 !/Library/Caches/com.sophos.sxld ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  Classic Environment                         # #
 #                                              ##
 ################################################
 (
  rulename = "Classic Environment", severity=100
 )
 {
  /"System Folder"                     -> $(SEC_READONLY) ;
  /"System Folder"/Preferences         -> $(SEC_DYNAMIC)-i(recurse=0) ;
  /"System Folder"/Extensions          -> $(SEC_READONLY)-im ;
  /"System Folder/Apple Menu Items"   -> $(SEC_READONLY)-im(recurse=0) ;
  /"System Folder"/Clipboard           -> $(SEC_DYNAMIC) ;
 !/"System Folder"/VolumeNameIconPict ;
 }
  ###################################################
 #                                                 ##
 ################################################### #
@ -375,7 +361,3 @@ Temporary     = +pugt ;
 #!"/Users/$(USER1)/.lpoptions" ;
 #!"/Users/$(USER1)/.Trash" ;
 }
 #
 # JTI
 #
--- a/policy/twpol-DragonFly.txt
+++ b/policy/twpol-DragonFly.txt
@ -0,0 +1,664 @@
 #
 #                       Policy file for DragonFly BSD
 #                         (adapted from FreeBSD policy)
 #
 # $FreeBSD: ports/security/tripwire/files/twpol.txt,v 1.2 2002/03/04 16:55:21 cy Exp $
 # $Id: twpol-FreeBSD.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $
 #
 # This is the example Tripwire Policy file.  It is intended as a place to
 # start creating your own custom Tripwire Policy file.  Referring to it as
 # well as the Tripwire Policy Guide should give you enough information to
 # make a good custom Tripwire Policy file that better covers your
 # configuration and security needs.  A text version of this policy file is
 # called twpol.txt.
 #
 # Note that this file is tuned to an install of FreeBSD using
 # buildworld.  If run unmodified, this file should create no errors on
 # database creation, or violations on a subsiquent integrity check.
 # However it is impossible for there to be one policy file for all machines,
 # so this existing one errs on the side of security.  Your FreeBSD
 # configuration will most likey differ from the one our policy file was
 # tuned to, and will therefore require some editing of the default
 # Tripwire Policy file.
 #
 # The example policy file is best run with 'Loose Directory Checking'
 # enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration
 # file.
 #
 # Email support is not included and must be added to this file.
 # Add the 'emailto=' to the rule directive section of each rule (add a comma
 # after the 'severity=' line and add an 'emailto=' and include the email
 # addresses you want the violation reports to go to).  Addresses are
 # semi-colon delimited.
 #
 #
 # Global Variable Definitions
 #
 # These are defined at install time by the installation script.  You may
 # Manually edit these if you are using this file directly and not from the
 # installation script itself.
 #
@@section GLOBAL
 TWROOT=;
 TWBIN=;
 TWPOL=;
 TWDB=;
 TWSKEY=;
 TWLKEY=;
 TWREPORT=;
 HOSTNAME=;
@@section FS
 SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
 SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
 SEC_GROWING       = +pinugtdl-srbamcCMSH ;
 SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
 SEC_IGNORE_NONE   = +pinugtsdrbamcCMSH-l ;
 SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
 SEC_TEMPORARY     = +pugt ;
 SEC_CRIT      = $(SEC_IGNORE_NONE)-SHa ; # Critical files that cannot change
 SEC_SUID      = $(SEC_IGNORE_NONE)-SHa ; # Binaries with the SUID or SGID flags set
 SEC_BIN       = $(SEC_READONLY) ;        # Binaries that should not change
 SEC_CONFIG    = $(SEC_DYNAMIC) ;         # Config files that are changed infrequently but accessed often
 SEC_TTY       = $(SEC_DYNAMIC)-ugp ;     # Tty files that change ownership at login
 SEC_LOG       = $(SEC_GROWING) ;         # Files that grow, but that should never change ownership
 SEC_INVARIANT = $(SEC_TEMPORARY) ;       # Directories that should never change permission or ownership
 SIG_LOW       = 33 ;                     # Non-critical files that are of minimal security impact
 SIG_MED       = 66 ;                     # Non-critical files that are of significant security impact
 SIG_HI        = 100 ;                    # Critical files that are significant points of vulnerability
 # Tripwire Binaries
 (
  rulename = "Tripwire Binaries",
  severity = $(SIG_HI)
 )
 {
  $(TWBIN)/siggen                      -> $(SEC_BIN) ;
  $(TWBIN)/tripwire                    -> $(SEC_BIN) ;
  $(TWBIN)/twadmin                     -> $(SEC_BIN) ;
  $(TWBIN)/twprint                     -> $(SEC_BIN) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
 (
  rulename = "Tripwire Data Files",
  severity = $(SIG_HI)
 )
 {
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.
  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
  $(TWDB)                              -> $(SEC_CONFIG) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_BIN) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_BIN) -i ;
  $(TWPOL)/twcfg.txt                   -> $(SEC_BIN) ;
  $(TWPOL)/twpol.txt                   -> $(SEC_BIN) ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_BIN) ;
  $(TWSKEY)/site.key                   -> $(SEC_BIN) ;
  #don't scan the individual reports
  $(TWREPORT)                          -> $(SEC_CONFIG) (recurse=0) ;
 }
 # Tripwire HQ Connector Binaries
 #(
 #  rulename = "Tripwire HQ Connector Binaries",
 #  severity = $(SIG_HI)
 #)
 #{
 #  $(TWBIN)/hqagent                     -> $(SEC_BIN) ;
 #}
 #
 # Tripwire HQ Connector - Configuration Files, Keys, and Logs
 #
 # Note: File locations here are different than in a stock HQ Connector
 # installation.  This is because Tripwire 2.3 uses a different path
 # structure than Tripwire 2.2.1.
 #
 # You may need to update your HQ Agent configuation file (or this policy
 # file) to correct the paths.  We have attempted to support the FHS standard
 # here by placing the HQ Agent files similarly to the way Tripwire 2.3
 # places them.
 #
 #(
 #  rulename = "Tripwire HQ Connector Data Files",
 #  severity = $(SIG_HI)
 #)
 #{
 #
 # # NOTE: Removing the inode attribute because when Tripwire creates a backup
 # # it does so by renaming the old file and creating a new one (which will
 # # have a new inode number).  Leaving inode turned on for keys, which
 # # shouldn't ever change.
 #
 #
 #  $(TWBIN)/agent.cfg                   -> $(SEC_BIN) -i ;
 #  $(TWLKEY)/authentication.key         -> $(SEC_BIN) ;
 #  $(TWDB)/tasks.dat                    -> $(SEC_CONFIG) ;
 #  $(TWDB)/schedule.dat                 -> $(SEC_CONFIG) ;
 #
 #  # Uncomment if you have agent logging enabled.
 #  #/var/log/tripwire/agent.log      -> $(SEC_LOG) ;
 #}
 # Commonly accessed directories that should remain static with regards to owner and group
 (
  rulename = "Invariant Directories",
  severity = $(SIG_MED)
 )
 {
  /                                    -> $(SEC_INVARIANT) (recurse = false) ;
  /home                                -> $(SEC_INVARIANT) (recurse = false) ;
 }
 #
 # First, root's "home"
 #
 (
  rulename = "Root's home",
  severity = $(SIG_HI)
 )
 {
  # /.rhosts				-> $(SEC_CRIT) ;
  /.profile				-> $(SEC_CRIT) ;
  /.cshrc				-> $(SEC_CRIT) ;
  /.login				-> $(SEC_CRIT) ;
  # /.exrc				-> $(SEC_CRIT) ;
  # /.logout				-> $(SEC_CRIT) ;
  # /.forward				-> $(SEC_CRIT) ;
  /root					-> $(SEC_CRIT) (recurse = true) ;
  !/root/.history ;
  !/root/.bash_history ;
  # !/root/.lsof_SYSTEM_NAME ;	# Uncomment if lsof is installed
 }
 #
 # FreeBSD Kernel
 #
 (
  rulename = "FreeBSD Kernel",
  severity = $(SIG_HI)
 )
 {
  /kernel				-> $(SEC_CRIT) ;
  /kernel.old				-> $(SEC_CRIT) ;
  /kernel.GENERIC			-> $(SEC_CRIT) ;
 }
 #
 # FreeBSD Modules
 #
 (
  rulename = "FreeBSD Modules",
  severity = $(SIG_HI)
 )
 {
  /modules				-> $(SEC_CRIT) (recurse = true) ;
  /modules.old				-> $(SEC_CRIT) (recurse = true) ;
  # /lkm				-> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld
 }
 #
 # System Administration Programs
 #
 (
  rulename = "System Administration Programs",
  severity = $(SIG_HI)
 )
 {
  /sbin					-> $(SEC_CRIT) (recurse = true) ;
  /usr/sbin				-> $(SEC_CRIT) (recurse = true) ;
 }
 #
 # User Utilities
 #
 (
  rulename = "User Utilities",
  severity = $(SIG_HI)
 )
 {
  /bin					-> $(SEC_CRIT) (recurse = true) ;
  /usr/bin				-> $(SEC_CRIT) (recurse = true) ;
 }
 #
 # /dev
 #
 (
  rulename = "/dev",
  severity = $(SIG_HI)
 )
 {
  /dev					-> $(Device) (recurse = true) ;
  !/dev/vga ;
  !/dev/dri ;
  /dev/console				-> $(SEC_TTY) ;
  /dev/ttyv0				-> $(SEC_TTY) ;
  /dev/ttyv1				-> $(SEC_TTY) ;
  /dev/ttyv2				-> $(SEC_TTY) ;
  /dev/ttyv3				-> $(SEC_TTY) ;
  /dev/ttyv4				-> $(SEC_TTY) ;
  /dev/ttyv5				-> $(SEC_TTY) ;
  /dev/ttyv6				-> $(SEC_TTY) ;
  /dev/ttyv7				-> $(SEC_TTY) ;
  /dev/ttyp0				-> $(SEC_TTY) ;
  /dev/ttyp1				-> $(SEC_TTY) ;
  /dev/ttyp2				-> $(SEC_TTY) ;
  /dev/ttyp3				-> $(SEC_TTY) ;
  /dev/ttyp4				-> $(SEC_TTY) ;
  /dev/ttyp5				-> $(SEC_TTY) ;
  /dev/ttyp6				-> $(SEC_TTY) ;
  /dev/ttyp7				-> $(SEC_TTY) ;
  /dev/ttyp8				-> $(SEC_TTY) ;
  /dev/ttyp9				-> $(SEC_TTY) ;
  /dev/ttypa				-> $(SEC_TTY) ;
  /dev/ttypb				-> $(SEC_TTY) ;
  /dev/ttypc				-> $(SEC_TTY) ;
  /dev/ttypd				-> $(SEC_TTY) ;
  /dev/ttype				-> $(SEC_TTY) ;
  /dev/ttypf				-> $(SEC_TTY) ;
  /dev/ttypg				-> $(SEC_TTY) ;
  /dev/ttyph				-> $(SEC_TTY) ;
  /dev/ttypi				-> $(SEC_TTY) ;
  /dev/ttypj				-> $(SEC_TTY) ;
  /dev/ttypl				-> $(SEC_TTY) ;
  /dev/ttypm				-> $(SEC_TTY) ;
  /dev/ttypn				-> $(SEC_TTY) ;
  /dev/ttypo				-> $(SEC_TTY) ;
  /dev/ttypp				-> $(SEC_TTY) ;
  /dev/ttypq				-> $(SEC_TTY) ;
  /dev/ttypr				-> $(SEC_TTY) ;
  /dev/ttyps				-> $(SEC_TTY) ;
  /dev/ttypt				-> $(SEC_TTY) ;
  /dev/ttypu				-> $(SEC_TTY) ;
  /dev/ttypv				-> $(SEC_TTY) ;
  /dev/cuaa0				-> $(SEC_TTY) ;	# modem
 }
 #
 # /etc
 #
 (
  rulename = "/etc",
  severity = $(SIG_HI)
 )
 {
  /etc					-> $(SEC_CRIT) (recurse = true) ;
  # /etc/mail/aliases			-> $(SEC_CONFIG) ;
  /etc/dumpdates			-> $(SEC_CONFIG) ;
  /etc/motd				-> $(SEC_CONFIG) ;
  !/etc/ppp/connect-errors ;
  /etc/skeykeys				-> $(SEC_CONFIG) ;
  # Uncomment the following 4 lines if your password file does not change
  # /etc/passwd				-> $(SEC_CONFIG) ;
  # /etc/master.passwd			-> $(SEC_CONFIG) ;
  # /etc/pwd.db				-> $(SEC_CONFIG) ;
  # /etc/spwd.db			-> $(SEC_CONFIG) ;
 }
 #
 # Copatibility (Linux)
 #
 (
  rulename = "Linux Compatibility",
  severity = $(SIG_HI)
 )
 {
  /compat				-> $(SEC_CRIT) (recurse = true) ;
 #
 # Uncomment the following if Linux compatibility is used.  Replace
 # HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port
 # installed.
 #
 #@@ifhost HOSTNAME1 || HOSTNAME2
 #  /compat/linux/etc			-> $(SEC_INVARIANT) (recurse = false) ;
 #  /compat/linux/etc/X11			-> $(SEC_CONFIG) (recurse = true) ;
 #  /compat/linux/etc/pam.d		-> $(SEC_CONFIG) (recurse = true) ;
 #  /compat/linux/etc/profile.d		-> $(SEC_CONFIG) (recurse = true) ;
 #  /compat/linux/etc/real		-> $(SEC_CONFIG) (recurse = true) ;
 #  /compat/linux/etc/bashrc		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/csh.login		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/host.conf		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/hosts.allow		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/hosts.deny		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/info-dir		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/inputrc		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/ld.so.conf		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/nsswitch.conf	-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/profile		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/redhat-release	-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/rpc			-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/securetty		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/shells		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/termcap		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/yp.conf		-> $(SEC_CONFIG) ;
 #  !/compat/linux/etc/ld.so.cache ;
 #  !/compat/linux/var/spool/mail ;
 #@@endif
 }
 #
 # Libraries, include files, and other system files
 #
 (
  rulename = "Libraries, include files, and other system files",
  severity = $(SIG_HI)
 )
 {
  /usr/include				-> $(SEC_CRIT) (recurse = true) ;
  /usr/lib				-> $(SEC_CRIT) (recurse = true) ;
  /usr/libdata				-> $(SEC_CRIT) (recurse = true) ;
  /usr/libexec				-> $(SEC_CRIT) (recurse = true) ;
  /usr/share				-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man			-> $(SEC_CONFIG) ;
  !/usr/share/man/whatis ;
  !/usr/share/man/.glimpse_filenames ;
  !/usr/share/man/.glimpse_filenames_index ;
  !/usr/share/man/.glimpse_filetimes ;
  !/usr/share/man/.glimpse_filters ;
  !/usr/share/man/.glimpse_index ;
  !/usr/share/man/.glimpse_messages ;
  !/usr/share/man/.glimpse_partitions ;
  !/usr/share/man/.glimpse_statistics ;
  !/usr/share/man/.glimpse_turbo ;
  /usr/share/man/man1			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man2			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man3			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man4			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man5			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man6			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man7			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man8			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man9			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/mann			-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/share/man/cat1 ;
  ! /usr/share/man/cat2 ;
  ! /usr/share/man/cat3 ;
  ! /usr/share/man/cat4 ;
  ! /usr/share/man/cat5 ;
  ! /usr/share/man/cat6 ;
  ! /usr/share/man/cat7 ;
  ! /usr/share/man/cat8 ;
  ! /usr/share/man/cat9 ;
  ! /usr/share/man/catl ;
  ! /usr/share/man/catn ;
  /usr/share/perl/man			-> $(SEC_CONFIG) ;
  !/usr/share/perl/man/whatis ;
  !/usr/share/perl/man/.glimpse_filenames ;
  !/usr/share/perl/man/.glimpse_filenames_index ;
  !/usr/share/perl/man/.glimpse_filetimes ;
  !/usr/share/perl/man/.glimpse_filters ;
  !/usr/share/perl/man/.glimpse_index ;
  !/usr/share/perl/man/.glimpse_messages ;
  !/usr/share/perl/man/.glimpse_partitions ;
  !/usr/share/perl/man/.glimpse_statistics ;
  !/usr/share/perl/man/.glimpse_turbo ;
  /usr/share/perl/man/man3		-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/share/perl/man/cat3 ;
  /usr/local/lib/perl5/5.00503/man	-> $(SEC_CONFIG) ;
  ! /usr/local/lib/perl5/5.00503/man/whatis ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_index ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ;
  /usr/local/lib/perl5/5.00503/man/man3		-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/local/lib/perl5/5.00503/man/cat3 ;
 }
 #
 # X11R6
 #
 (
  rulename = "X11R6",
  severity = $(SIG_HI)
 )
 {
  /usr/X11R6				-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/lib/X11/xdm		-> $(SEC_CONFIG) (recurse = true) ;
  !/usr/X11R6/lib/X11/xdm/xdm-errors ;
  !/usr/X11R6/lib/X11/xdm/authdir/authfiles ;
  !/usr/X11R6/lib/X11/xdm/xdm-pid ;
  /usr/X11R6/lib/X11/xkb/compiled	-> $(SEC_CONFIG) (recurse = true) ;
  /usr/X11R6/man			-> $(SEC_CONFIG) ;
  !/usr/X11R6/man/whatis ;
  !/usr/X11R6/man/.glimpse_filenames ;
  !/usr/X11R6/man/.glimpse_filenames_index ;
  !/usr/X11R6/man/.glimpse_filetimes ;
  !/usr/X11R6/man/.glimpse_filters ;
  !/usr/X11R6/man/.glimpse_index ;
  !/usr/X11R6/man/.glimpse_messages ;
  !/usr/X11R6/man/.glimpse_partitions ;
  !/usr/X11R6/man/.glimpse_statistics ;
  !/usr/X11R6/man/.glimpse_turbo ;
  /usr/X11R6/man/man1			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man2			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man3			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man4			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man5			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man6			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man7			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man8			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man9			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/manl			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/mann			-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/X11R6/man/cat1 ;
  ! /usr/X11R6/man/cat2 ;
  ! /usr/X11R6/man/cat3 ;
  ! /usr/X11R6/man/cat4 ;
  ! /usr/X11R6/man/cat5 ;
  ! /usr/X11R6/man/cat6 ;
  ! /usr/X11R6/man/cat7 ;
  ! /usr/X11R6/man/cat8 ;
  ! /usr/X11R6/man/cat9 ;
  ! /usr/X11R6/man/catl ;
  ! /usr/X11R6/man/catn ;
 }
 #
 # sources
 #
 (
  rulename = "Sources",
  severity = $(SIG_HI)
 )
 {
  /usr/src				-> $(SEC_CRIT) (recurse = true) ;
  /usr/src/sys/compile			-> $(SEC_CONFIG) (recurse = false) ;
 }
 #
 # NIS
 #
 (
  rulename = "NIS",
  severity = $(SIG_HI)
 )
 {
  /var/yp				-> $(SEC_CRIT) (recurse = true) ;
  !/var/yp/binding ;
 }
 #
 # Temporary directories
 #
 (
  rulename = "Temporary directories",
  recurse = false,
  severity = $(SIG_LOW)
 )
 {
  /usr/tmp                             -> $(SEC_INVARIANT) ;
  /var/tmp                             -> $(SEC_INVARIANT) ;
  /var/preserve                        -> $(SEC_INVARIANT) ;
  /tmp                                 -> $(SEC_INVARIANT) ;
 }
 #
 # Local files
 #
 (
  rulename = "Local files",
  severity = $(SIG_MED)
 )
 {
  /usr/local/bin			-> $(SEC_BIN) (recurse = true) ;
  /usr/local/sbin			-> $(SEC_BIN) (recurse = true) ;
  /usr/local/etc		 	-> $(SEC_BIN) (recurse = true) ;
  /usr/local/lib			-> $(SEC_BIN) (recurse = true ) ;
  /usr/local/libexec			-> $(SEC_BIN) (recurse = true ) ;
  /usr/local/share			-> $(SEC_BIN) (recurse = true ) ;
  /usr/local/man			-> $(SEC_CONFIG) ;
  !/usr/local/man/whatis ;
  !/usr/local/man/.glimpse_filenames ;
  !/usr/local/man/.glimpse_filenames_index ;
  !/usr/local/man/.glimpse_filetimes ;
  !/usr/local/man/.glimpse_filters ;
  !/usr/local/man/.glimpse_index ;
  !/usr/local/man/.glimpse_messages ;
  !/usr/local/man/.glimpse_partitions ;
  !/usr/local/man/.glimpse_statistics ;
  !/usr/local/man/.glimpse_turbo ;
  /usr/local/man/man1			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man2			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man3			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man4			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man5			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man6			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man7			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man8			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man9			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/manl			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/mann			-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/local/man/cat1 ;
  ! /usr/local/man/cat2 ;
  ! /usr/local/man/cat3 ;
  ! /usr/local/man/cat4 ;
  ! /usr/local/man/cat5 ;
  ! /usr/local/man/cat6 ;
  ! /usr/local/man/cat7 ;
  ! /usr/local/man/cat8 ;
  ! /usr/local/man/cat9 ;
  ! /usr/local/man/catl ;
  ! /usr/local/man/catn ;
  /usr/local/krb5			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man			-> $(SEC_CONFIG) ;
  !/usr/local/krb5/man/whatis ;
  !/usr/local/krb5/man/.glimpse_filenames ;
  !/usr/local/krb5/man/.glimpse_filenames_index ;
  !/usr/local/krb5/man/.glimpse_filetimes ;
  !/usr/local/krb5/man/.glimpse_filters ;
  !/usr/local/krb5/man/.glimpse_index ;
  !/usr/local/krb5/man/.glimpse_messages ;
  !/usr/local/krb5/man/.glimpse_partitions ;
  !/usr/local/krb5/man/.glimpse_statistics ;
  !/usr/local/krb5/man/.glimpse_turbo ;
  /usr/local/krb5/man/man1			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man2			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man3			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man4			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man5			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man6			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man7			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man8			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man9			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/manl			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/mann			-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/local/krb5/man/cat1 ;
  ! /usr/local/krb5/man/cat2 ;
  ! /usr/local/krb5/man/cat3 ;
  ! /usr/local/krb5/man/cat4 ;
  ! /usr/local/krb5/man/cat5 ;
  ! /usr/local/krb5/man/cat6 ;
  ! /usr/local/krb5/man/cat7 ;
  ! /usr/local/krb5/man/cat8 ;
  ! /usr/local/krb5/man/cat9 ;
  ! /usr/local/krb5/man/catl ;
  ! /usr/local/krb5/man/catn ;
  /usr/local/www			-> $(SEC_CONFIG) (recurse = true) ;
 }
 (
  rulename = "Security Control",
  severity = $(SIG_HI)
 )
 {
  /etc/group                           -> $(SEC_CRIT) ;
  /etc/crontab                         -> $(SEC_CRIT) ;
 }
 #=============================================================================
 #
 # Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
 # Inc. in the United States and other countries. All rights reserved.
 #
 # FreeBSD is a registered trademark of the FreeBSD Project Inc.
 #
 # UNIX is a registered trademark of The Open Group.
 #
 #=============================================================================
 #
 # Permission is granted to make and distribute verbatim copies of this document
 # provided the copyright notice and this permission notice are preserved on all
 # copies.
 #
 # Permission is granted to copy and distribute modified versions of this
 # document under the conditions for verbatim copying, provided that the entire
 # resulting derived work is distributed under the terms of a permission notice
 # identical to this one.
 #
 # Permission is granted to copy and distribute translations of this document
 # into another language, under the above conditions for modified versions,
 # except that this permission notice may be stated in a translation approved by
 # Tripwire, Inc.
 #
 # DCM
--- a/policy/twpol-FreeBSD.txt
+++ b/policy/twpol-FreeBSD.txt
@ -53,13 +53,21 @@ TWREPORT=;
 HOSTNAME=;
@@section FS
-SEC_CRIT      = $(IgnoreNone)-SHa ;  # Critical files that cannot change
+SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
-SEC_SUID      = $(IgnoreNone)-SHa ;  # Binaries with the SUID or SGID flags set
+SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
-SEC_BIN       = $(ReadOnly) ;        # Binaries that should not change
+SEC_GROWING       = +pinugtdl-srbamcCMSH ;
-SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed infrequently but accessed often
+SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
-SEC_TTY    = $(Dynamic)-ugp ;        # Tty files that change ownership at login
+SEC_IGNORE_NONE   = +pinugtsdrbamcCMSH-l ;
-SEC_LOG       = $(Growing) ;         # Files that grow, but that should never change ownership
+SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
-SEC_INVARIANT = +tpug ;              # Directories that should never change permission or ownership
+SEC_TEMPORARY     = +pugt ;
 SEC_CRIT      = $(SEC_IGNORE_NONE)-SHa ; # Critical files that cannot change
 SEC_SUID      = $(SEC_IGNORE_NONE)-SHa ; # Binaries with the SUID or SGID flags set
 SEC_BIN       = $(SEC_READONLY) ;        # Binaries that should not change
 SEC_CONFIG    = $(SEC_DYNAMIC) ;         # Config files that are changed infrequently but accessed often
 SEC_TTY       = $(SEC_DYNAMIC)-ugp ;     # Tty files that change ownership at login
 SEC_LOG       = $(SEC_GROWING) ;         # Files that grow, but that should never change ownership
 SEC_INVARIANT = $(SEC_TEMPORARY) ;       # Directories that should never change permission or ownership
 SIG_LOW       = 33 ;                     # Non-critical files that are of minimal security impact
 SIG_MED       = 66 ;                     # Non-critical files that are of significant security impact
 SIG_HI        = 100 ;                    # Critical files that are significant points of vulnerability
@ -629,7 +637,7 @@ SIG_HI        = 100 ;                # Critical files that are significant point
 #=============================================================================
 #
-# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
+# Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
 # Inc. in the United States and other countries. All rights reserved.
 #
 # FreeBSD is a registered trademark of the FreeBSD Project Inc.
--- a/policy/twpol-GENERIC.txt
+++ b/policy/twpol-GENERIC.txt
@ -65,12 +65,21 @@ TWREPORT=;
 HOSTNAME=;
@@section FS
-SEC_CRIT      = $(IgnoreNone)-SHa ;  # Critical files that cannot change
+SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
-SEC_SUID      = $(IgnoreNone)-SHa ;  # Binaries with the SUID or SGID flags set
+SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
-SEC_BIN       = $(ReadOnly) ;        # Binaries that should not change
+SEC_GROWING       = +pinugtdl-srbamcCMSH ;
-SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed infrequently but accessed often
+SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
-SEC_LOG       = $(Growing) ;         # Files that grow, but that should never change ownership
+SEC_IGNORE_NONE   = +pinugtsdrbamcCMSH-l ;
-SEC_INVARIANT = +tpug ;              # Directories that should never change permission or ownership
+SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
 SEC_TEMPORARY     = +pugt ;
 SEC_CRIT      = $(SEC_IGNORE_NONE)-SHa ; # Critical files that cannot change
 SEC_SUID      = $(SEC_IGNORE_NONE)-SHa ; # Binaries with the SUID or SGID flags set
 SEC_BIN       = $(SEC_READONLY) ;        # Binaries that should not change
 SEC_CONFIG    = $(SEC_DYNAMIC) ;         # Config files that are changed infrequently but accessed often
 SEC_TTY       = $(SEC_DYNAMIC)-ugp ;     # Tty files that change ownership at login
 SEC_LOG       = $(SEC_GROWING) ;         # Files that grow, but that should never change ownership
 SEC_INVARIANT = $(SEC_TEMPORARY) ;       # Directories that should never change permission or ownership
 SIG_LOW       = 33 ;                     # Non-critical files that are of minimal security impact
 SIG_MED       = 66 ;                     # Non-critical files that are of significant security impact
 SIG_HI        = 100 ;                    # Critical files that are significant points of vulnerability
@ -114,56 +123,6 @@ SIG_HI        = 100 ;                # Critical files that are significant point
 }
 # Tripwire HQ Connector Binaries
 #(
 #  rulename = "Tripwire HQ Connector Binaries",
 #  severity = $(SIG_HI)
 #)
 #{
 #  $(TWBIN)/hqagent                     -> $(SEC_BIN) ;
 #}
 #
 # Tripwire HQ Connector - Configuration Files, Keys, and Logs
  ##############################################################################
 #                                                                            ##
 ############################################################################## #
 #                                                                            # #
 # Note: File locations here are different than in a stock HQ Connector       # #
 # installation.  This is because Tripwire 2.3 uses a different path          # #
 # structure than Tripwire 2.2.1.                                             # #
 #                                                                            # #
 # You may need to update your HQ Agent configuation file (or this policy     # #
 # file) to correct the paths.  We have attempted to support the FHS standard # #
 # here by placing the HQ Agent files similarly to the way Tripwire 2.3       # #
 # places them.                                                               # #
 #                                                                            ##
 ##############################################################################
 #(
 #  rulename = "Tripwire HQ Connector Data Files",
 #  severity = $(SIG_HI)
 #)
 #{
 #   #############################################################################
 #  ##############################################################################
 #  # NOTE: Removing the inode attribute because when Tripwire creates a backup ##
 #  # it does so by renaming the old file and creating a new one (which will    ##
 #  # have a new inode number).  Leaving inode turned on for keys, which        ##
 #  # shouldn't ever change.                                                    ##
 #  #############################################################################
 #
 #  $(TWBIN)/agent.cfg                   -> $(SEC_BIN) -i ;
 #  $(TWLKEY)/authentication.key         -> $(SEC_BIN) ;
 #  $(TWDB)/tasks.dat                    -> $(SEC_CONFIG) ;
 #  $(TWDB)/schedule.dat                 -> $(SEC_CONFIG) ;
 #
 #  # Uncomment if you have agent logging enabled.
 #  #/var/log/tripwire/agent.log      -> $(SEC_LOG) ;
 #}
 # Commonly accessed directories that should remain static with regards to owner and group
 (
  rulename = "Invariant Directories",
@ -1078,7 +1037,7 @@ SIG_HI        = 100 ;                # Critical files that are significant point
 #=============================================================================
 #
-# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
+# Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
 # Inc. in the United States and other countries. All rights reserved.
 #
 # Linux is a registered trademark of Linus Torvalds.
--- a/policy/twpol-GNU.txt
+++ b/policy/twpol-GNU.txt
@ -0,0 +1,159 @@
 ###############################################################################
 #                                                                            ##
 #    Default Tripwire 2.4 Policy file for GNU/Hurd                           ##
 #                                                                            ##
 ###############################################################################
 ###############################################################################
 #                                                                            ##
 # Global Variable Definitions                                                ##
 #                                                                            ##
 # These are defined at install time by the installation script.  You may     ##
 # Manually edit these if you are using this file directly and not from the   ##
 # installation script itself.                                                ##
 #                                                                            ##
 ###############################################################################
@@section GLOBAL
 TWROOT=;
 TWBIN=;
 TWPOL=;
 TWDB=;
 TWSKEY=;
 TWLKEY=;
 TWREPORT=;
 HOSTNAME=;
 ##############################################################################
 #  Predefined Variables                                                      #
 ##############################################################################
 #
 #  Property Masks
 #
 #  -  ignore the following properties
 #  +  check the following properties
 #
 #  a  access timestamp (mutually exclusive with +CMSH)
 #  b  number of blocks allocated
 #  c  inode creation/modification timestamp
 #  d  ID of device on which inode resides
 #  g  group id of owner
 #  i  inode number
 #  l  growing files (logfiles for example)
 #  m  modification timestamp
 #  n  number of links
 #  p  permission and file mode bits
 #  r  ID of device pointed to by inode (valid only for device objects)
 #  s  file size
 #  t  file type
 #  u  user id of owner
 #
 #  C  CRC-32 hash
 #  H  HAVAL hash
 #  M  MD5 hash
 #  S  SHA hash
 #
 ##############################################################################
 SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
 SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
 SEC_GROWING       = +pinugtdl-srbamcCMSH ;
 SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
 SEC_IGNORE_NONE    = +pinugtsdrbamcCMSH-l ;
 SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
 SEC_TEMPORARY       = +pugt ;
@@section FS 
 #########################################
 #                                      ##
 #  Tripwire Binaries and Data Files    ##
 #                                      ##
 #########################################
 # Tripwire Binaries
 (
  rulename = "Tripwire Binaries",
 )
 {
  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
 (
  rulename = "Tripwire Data Files",
 )
 {
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.
  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
  # don't scan the individual reports
  $(TWREPORT)                          -> $(SEC_DYNAMIC) (recurse=0) ;
 }
 ##############################################################################
 (rulename="Boot files",)
 {
  /boot -> $(SEC_READONLY) -a;
 }
 (rulename="Binary files",)
 {
  /bin -> $(SEC_READONLY) -a;
  /usr/bin -> $(SEC_READONLY) -a;
  /usr/local/bin -> $(SEC_READONLY) -a;
 }
 (rulename="Admin binaries",)
 {
  /servers -> $(SEC_READONLY) -a;
  /sbin -> $(SEC_READONLY) -a;
  /usr/sbin -> $(SEC_READONLY) -a;
  /hurd -> $(SEC_READONLY) -a;
 }
 (rulename="Libraries",)
 {
  /lib -> $(SEC_READONLY) -a;
  /usr/lib -> $(SEC_READONLY) -a;
  /usr/local/lib -> $(SEC_READONLY) -a;
 }
 (rulename="Etc",)
 {
  /etc -> $(SEC_READONLY) -a;
  /usr/local/etc -> $(SEC_READONLY) -a;
 }
 (rulename="Dev",)
 {
  /dev -> $(SEC_DEVICE);
 }
 (rulename="Tmp",)
 {
  /tmp -> $(SEC_TEMPORARY);
  /var/tmp -> $(SEC_TEMPORARY);
 }
 (rulename="Log",)
 {
  /var/log -> $(SEC_GROWING);
 }
--- a/policy/twpol-HP-UX.txt
+++ b/policy/twpol-HP-UX.txt
--- a/policy/twpol-Haiku.txt
+++ b/policy/twpol-Haiku.txt
@ -0,0 +1,178 @@
 ###############################################################################
 #                                                                            ##
 #    Default Tripwire 2.4 Policy file for Haiku                              ##
 #                                                                            ##
 ###############################################################################
 ###############################################################################
 #                                                                            ##
 # Global Variable Definitions                                                ##
 #                                                                            ##
 # These are defined at install time by the installation script.  You may     ##
 # Manually edit these if you are using this file directly and not from the   ##
 # installation script itself.                                                ##
 #                                                                            ##
 ###############################################################################
@@section GLOBAL
 TWROOT=;
 TWBIN=;
 TWPOL=;
 TWDB=;
 TWSKEY=;
 TWLKEY=;
 TWREPORT=;
 HOSTNAME=;
 ##############################################################################
 #  Predefined Variables                                                      #
 ##############################################################################
 #
 #  Property Masks
 #
 #  -  ignore the following properties
 #  +  check the following properties
 #
 #  a  access timestamp (mutually exclusive with +CMSH)
 #  b  number of blocks allocated
 #  c  inode creation/modification timestamp
 #  d  ID of device on which inode resides
 #  g  group id of owner
 #  i  inode number
 #  l  growing files (logfiles for example)
 #  m  modification timestamp
 #  n  number of links
 #  p  permission and file mode bits
 #  r  ID of device pointed to by inode (valid only for device objects)
 #  s  file size
 #  t  file type
 #  u  user id of owner
 #
 #  C  CRC-32 hash
 #  H  HAVAL hash
 #  M  MD5 hash
 #  S  SHA hash
 #
 ##############################################################################
 SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
 SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
 SEC_GROWING       = +pinugtdl-srbamcCMSH ;
 SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
 SEC_IGNORE_NONE    = +pinugtsdrbamcCMSH-l ;
 SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
 SEC_TEMPORARY       = +pugt ;
@@section FS 
 #########################################
 #                                      ##
 #  Tripwire Binaries and Data Files    ##
 #                                      ##
 #########################################
 # Tripwire Binaries
 (
  rulename = "Tripwire Binaries",
 )
 {
  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
 (
  rulename = "Tripwire Data Files",
 )
 {
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.
  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
  # don't scan the individual reports
  $(TWREPORT)                          -> $(SEC_DYNAMIC) (recurse=0) ;
 }
 ##############################################################################
 ### System dir ###############################################################
 #
 (rulename = "System Directory",)
 {
   /boot/system -> $(SEC_READONLY) -a;
 }
 ### Other bin dirs ############################################################
 #
 (rulename = "Binary Directories",)
 {
  /boot/home/config/bin -> $(SEC_READONLY) -a;
  /boot/common/bin -> $(SEC_READONLY) -a;
  /boot/apps -> $(SEC_READONLY) -a;
 # /boot/develop/tools/gnupro/bin -> $(SEC_READONLY) -a; #uncomment to monitor dev tools if present
 }
 ### Other lib dirs ############################################################
 #
 (rulename = "Library Directories",)
 {
  /boot/common/lib -> $(SEC_READONLY) -a;
  /boot/home/config/lib -> $(SEC_READONLY) -a;
 }
 ### Other boot dirs ###########################################################
 #
 (rulename = "Boot Directories",)
 {
  /boot/common/boot -> $(SEC_READONLY) -a;
  /boot/home/config/boot -> $(SEC_READONLY) -a;
 }
 ### Settings ##################################################################
 #
 (rulename = "Settings",)
 {
  /boot/common/settings -> $(SEC_READONLY) -a;
  /boot/common/data -> $(SEC_READONLY) -a;
  /boot/common/etc -> $(SEC_READONLY) -a;
  /boot/home/config/settings -> $(SEC_READONLY) -a;
 }
 # Logs ########################################################################
 #
 (rulename = "Logs",)
 {
  /boot/common/var/log -> $(SEC_GROWING) -a;
 }
 # Dev #########################################################################
 #
 (rulename = "Devices",)
 {
  /dev -> $(SEC_DEVICE) -a;
 }
 # Temp dirs #########################
 #
 (rulename = "Temp Directories",)
 {
  /boot/common/cache/tmp -> $(SEC_TEMPORARY) -a;
 }
--- a/policy/twpol-LibertyBSD.txt
+++ b/policy/twpol-LibertyBSD.txt
@ -0,0 +1,292 @@
  ##############################################################################
 #                                                                            ##
 ############################################################################## #
 #                                                                            # #
 #                     Tripwire 2.4 policy for LibertyBSD                     # #
 #                            updated March 2018                              # #
 #                                                                            ##
 ##############################################################################
  ##############################################################################
 #                                                                            ##
 ############################################################################## #
 #                                                                            # #
 # Global Variable Definitions                                                # #
 #                                                                            # #
 # These are defined at install time by the installation script.  You may     # #
 # manually edit these if you are using this file directly and not from the   # #
 # installation script itself.                                                # #
 #                                                                            ##
 ##############################################################################
@@section GLOBAL
 TWROOT=;
 TWBIN=;
 TWPOL=;
 TWDB=;
 TWSKEY=;
 TWLKEY=;
 TWREPORT=;
 HOSTNAME=;
  ##############################################################################
 #  Predefined Variables                                                      #
 ##############################################################################
 #
 #  Property Masks
 #
 #  -  ignore the following properties
 #  +  check the following properties
 #
 #  a  access timestamp (mutually exclusive with +CMSH)
 #  b  number of blocks allocated
 #  c  inode creation/modification timestamp
 #  d  ID of device on which inode resides
 #  g  group id of owner
 #  i  inode number
 #  l  growing files (logfiles for example)
 #  m  modification timestamp
 #  n  number of links
 #  p  permission and file mode bits
 #  r  ID of device pointed to by inode (valid only for device objects)
 #  s  file size
 #  t  file type
 #  u  user id of owner
 #
 #  C  CRC-32 hash
 #  H  HAVAL hash
 #  M  MD5 hash
 #  S  SHA hash
 #
 ##############################################################################
 SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
 SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
 SEC_GROWING       = +pinugtdl-srbamcCMSH ;
 SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
 SEC_IGNORE_NONE   = +pinugtsdrbamcCMSH-l ;
 SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
 SEC_TEMPORARY     = +pugt ;
@@section FS 
  ########################################
 #                                      ##
 ######################################## #
 #                                      # #
 #  Tripwire Binaries and Data Files    # #
 #                                      ##
 ########################################
 # Tripwire Binaries
 (
  rulename = "Tripwire Binaries",
 )
 {
  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
 (
  rulename = "Tripwire Data Files",
 )
 {
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.
  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
  # don't scan the individual reports
  $(TWREPORT)                          -> $(SEC_DYNAMIC) (recurse=0) ;
  # In this configuration /usr/local is a symbolic link to /home/local.
  # We want to ignore the following directories since they are already
  # scanned using the real directory or mount point.  Otherwise we see
  # duplicates in the reports.
  !/home/local ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  OS Boot and Configuration Files             # #
 #                                              ##
 ################################################
 (
  rulename = "OS Boot and Configuration Files",
 )
 {
  /boot                         -> $(SEC_READONLY) ;
  /bsd                          -> $(SEC_READONLY) ;
  /etc                          -> $(SEC_IGNORE_NONE) -SHa ;
 }
  ###################################################
 #                                                 ##
 ################################################### #
 #                                                 # #
 #  Mount Points                                   # #
 #                                                 ##
 ###################################################
 (
  rulename = "Mount Points",
 )
 {
  /                             -> $(SEC_READONLY) ;
  /cdrom                        -> $(SEC_DYNAMIC) ;
  /floppy                       -> $(SEC_DYNAMIC) ;
  /home                         -> $(SEC_READONLY) ;  # Modify as needed
  /mnt                          -> $(SEC_DYNAMIC) ;
  /usr                          -> $(SEC_READONLY) ;
  /var                          -> $(SEC_READONLY) ;
 }
  ###################################################
 #                                                 ##
 ################################################### #
 #                                                 # #
 #  Misc Top-Level Directories                     # #
 #                                                 ##
 ###################################################
 (
  rulename = "Misc Top-Level Directories",
 )
 {
  /altroot                      -> $(SEC_DYNAMIC) ;
  /stand                        -> $(SEC_DYNAMIC) ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #   System Devices                             # #
 #                                              ##
 ################################################
 (
  rulename = "System Devices",
 )
 {
  /dev                          -> $(SEC_DEVICE) ;
  /dev/fd                       -> $(SEC_DEVICE) ;
  /var/cron/tabs/.sock          -> $(SEC_DEVICE) ; 
  /var/empty/dev/log            -> $(SEC_DEVICE) ; 
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  OS Binaries and Libraries                   # #   
 #                                              ##
 ################################################
 (
  rulename = "OS Binaries and Libraries",
 )
 {
  /bin                          -> $(SEC_READONLY) ;
  /sbin                         -> $(SEC_READONLY) ;
  /usr/bin                      -> $(SEC_READONLY) ;
  /usr/lib                      -> $(SEC_READONLY) ;
  /usr/libexec                  -> $(SEC_READONLY) ;
  /usr/sbin                     -> $(SEC_READONLY) ;
  /usr/X11R6/bin                -> $(SEC_READONLY) ;
  /usr/X11R6/lib                -> $(SEC_READONLY) ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  Usr Local Files                             # #   
 #                                              ##
 ################################################
 #OK(
  #OKrulename = "Usr Local Files",
 #OK)
 #OK{
  #OK/usr/local                    -> $(SEC_READONLY) ;
  #OK/usr/local/bin                -> $(SEC_READONLY) ;
  #OK/usr/local/doc                -> $(SEC_READONLY) ;
  #OK/usr/local/etc                -> $(SEC_READONLY) ;
  #OK/usr/local/include            -> $(SEC_READONLY) ;
  #OK/usr/local/info               -> $(SEC_READONLY) ;
  #OK/usr/local/lib                -> $(SEC_READONLY) ;
  #OK/usr/local/libdata            -> $(SEC_READONLY) ;
  #OK/usr/local/libexec            -> $(SEC_READONLY) ;
  #OK/usr/local/man                -> $(SEC_READONLY) ;
  #OK/usr/local/sbin               -> $(SEC_READONLY) ;
  #OK/usr/local/share              -> $(SEC_READONLY) ;
  #OK/usr/local/src                -> $(SEC_READONLY) ;
 #OK}
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  Root Directory and Files                    # #
 #                                              ##
 ################################################
 (
  rulename = "Root Directory and Files",
 )
 {
  /root                          -> $(SEC_IGNORE_NONE) -SHa ;
  /root/.cshrc                   -> $(SEC_DYNAMIC) ;
  /root/.profile                 -> $(SEC_DYNAMIC) ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  Temporary Directories                       # #
 #                                              ##
 ################################################
 (
  rulename = "Temporary Directories",
 )
 {
  /tmp                          -> $(SEC_TEMPORARY) ;
  /var/tmp                      -> $(SEC_TEMPORARY) ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  System and Boot Changes                     # #
 #                                              ##
 ################################################
 (
  rulename = "System and Boot Changes",
 )
 {
  /var/backups                    -> $(SEC_DYNAMIC) -i ;
  /var/db/host.random             -> $(SEC_READONLY) -mCM ;
  /var/cron                       -> $(SEC_GROWING) -i ;
  /var/log                        -> $(SEC_GROWING) -i ;
  /var/run                        -> $(SEC_DYNAMIC) -i ;
  /var/mail                       -> $(SEC_GROWING) ;
  /var/msgs/bounds                -> $(SEC_READONLY) -smbCM ;
  /var/spool/clientmqueue         -> $(SEC_TEMPORARY) ;
  /var/spool/mqueue               -> $(SEC_TEMPORARY) ;
 }
 #
 # $Id: twpol-OpenBSD.txt,v 1.2 2004/05/14 21:56:21 pherman Exp $
 #
--- a/policy/twpol-Linux.txt
+++ b/policy/twpol-Linux.txt
@ -2,7 +2,8 @@
 #                                                                            ##
 ############################################################################## #
 #                                                                            # #
-#                    Policy file for Red Hat Linux                           # #
+#                    Tripwire 2.4 policy for Linux (RPM)                     # #
 #                             updated March 2018                             # #
 #                                                                            ##
 ##############################################################################
@ -59,13 +60,13 @@ HOSTNAME=;
 #
 ##############################################################################
-Device        = +pugsdr-intlbamcCMSH ;
+SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
-Dynamic       = +pinugtd-srlbamcCMSH ;
+SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
-Growing       = +pinugtdl-srbamcCMSH ;
+SEC_GROWING       = +pinugtdl-srbamcCMSH ;
-IgnoreAll     = -pinugtsdrlbamcCMSH ;
+SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
-IgnoreNone    = +pinugtsdrbamcCMSH-l ;
+SEC_IGNORE_NONE    = +pinugtsdrbamcCMSH-l ;
-ReadOnly      = +pinugtsdbmCM-rlacSH ;
+SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
-Temporary     = +pugt ;
+SEC_TEMPORARY       = +pugt ;
@@section FS 
@ -82,10 +83,10 @@ Temporary     = +pugt ;
  rulename = "Tripwire Binaries",
 )
 {
-  $(TWBIN)/siggen                      -> $(ReadOnly) ;
+  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
-  $(TWBIN)/tripwire                    -> $(ReadOnly) ;
+  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
-  $(TWBIN)/twadmin                     -> $(ReadOnly) ;
+  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
-  $(TWBIN)/twprint                     -> $(ReadOnly) ;
+  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -102,14 +103,14 @@ Temporary     = +pugt ;
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
-  $(TWDB)                              -> $(Dynamic) -i ;
+  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
-  $(TWPOL)/tw.pol                      -> $(ReadOnly) -i ;
+  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
-  $(TWPOL)/tw.cfg                      -> $(ReadOnly) -i ;
+  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
-  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(ReadOnly) ;
+  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
-  $(TWSKEY)/site.key                   -> $(ReadOnly) ;
+  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
  # don't scan the individual reports
-  $(TWREPORT)                          -> $(Dynamic) (recurse=0) ;
+  $(TWREPORT)                          -> $(SEC_DYNAMIC) (recurse=0) ;
 }
  ################################################
@ -123,10 +124,10 @@ Temporary     = +pugt ;
  rulename = "RPM Checksum Files",
 )
 {
-  /var/lib/rpm                  -> $(ReadOnly);
+  /var/lib/rpm                  -> $(SEC_READONLY);
-  /var/lib/rpm/__db.001         -> $(Dynamic) ;
+  /var/lib/rpm/__db.001         -> $(SEC_DYNAMIC) ;
-  /var/lib/rpm/__db.002         -> $(Dynamic) ;
+  /var/lib/rpm/__db.002         -> $(SEC_DYNAMIC) ;
-  /var/lib/rpm/__db.003         -> $(Dynamic) ;
+  /var/lib/rpm/__db.003         -> $(SEC_DYNAMIC) ;
 }
  ################################################
@ -140,18 +141,18 @@ Temporary     = +pugt ;
  rulename = "Global Configuration Files",
 )
 {
-  /etc                           -> $(IgnoreNone) -SHa ;
+  /etc                           -> $(SEC_IGNORE_NONE) -SHa ;
-  /etc/adjtime                   -> $(Dynamic) ;
+  /etc/adjtime                   -> $(SEC_DYNAMIC) ;
-  /etc/aliases.db                -> $(Dynamic) ;
+  /etc/aliases.db                -> $(SEC_DYNAMIC) ;
-  /etc/bashrc                    -> $(Dynamic) ;
+  /etc/bashrc                    -> $(SEC_DYNAMIC) ;
-  /etc/csh.cshrc                 -> $(Dynamic) ;
+  /etc/csh.cshrc                 -> $(SEC_DYNAMIC) ;
-  /etc/csh.login                 -> $(Dynamic) ;
+  /etc/csh.login                 -> $(SEC_DYNAMIC) ;
-  /etc/mail/statistics           -> $(Growing) ;
+  /etc/mail/statistics           -> $(SEC_GROWING) ;
-  /etc/profile                   -> $(Dynamic) -i ;
+  /etc/profile                   -> $(SEC_DYNAMIC) -i ;
-  /etc/mtab                      -> $(Dynamic) -i ;
+  /etc/mtab                      -> $(SEC_DYNAMIC) -i ;
-  /etc/rc.d                      -> $(IgnoreNone) -SHa ;
+  /etc/rc.d                      -> $(SEC_IGNORE_NONE) -SHa ;
-  /etc/sysconfig                 -> $(IgnoreNone) -SHa ;
+  /etc/sysconfig                 -> $(SEC_IGNORE_NONE) -SHa ;
-  /etc/sysconfig/hwconf          -> $(Dynamic) -m ;
+  /etc/sysconfig/hwconf          -> $(SEC_DYNAMIC) -m ;
 }
  ################################################
@ -165,10 +166,10 @@ Temporary     = +pugt ;
  rulename = "OS Boot Files and Mount Points",
 )
 {
-  /boot                         -> $(ReadOnly) ;
+  /boot                         -> $(SEC_READONLY) ;
-  /cdrom                        -> $(Dynamic) ;
+  /cdrom                        -> $(SEC_DYNAMIC) ;
-  /floppy                       -> $(Dynamic) ;
+  /floppy                       -> $(SEC_DYNAMIC) ;
-  /mnt                          -> $(Dynamic) ;
+  /mnt                          -> $(SEC_DYNAMIC) ;
 }
  ################################################
@ -182,12 +183,12 @@ Temporary     = +pugt ;
  rulename = "OS Devices and Misc Directories",
 )
 {
-  /dev                          -> $(Device) ;
+  /dev                          -> $(SEC_DEVICE) ;
-  /initrd                       -> $(Dynamic) ;
+  /initrd                       -> $(SEC_DYNAMIC) ;
-  /opt                          -> $(Dynamic) ;
+  /opt                          -> $(SEC_DYNAMIC) ;
-  /lost+found                   -> $(Dynamic) ;
+  /lost+found                   -> $(SEC_DYNAMIC) ;
-  /var/lost+found               -> $(Dynamic) ;
+  /var/lost+found               -> $(SEC_DYNAMIC) ;
-  /home/lost+found              -> $(Dynamic) ;
+  /home/lost+found              -> $(SEC_DYNAMIC) ;
  !/dev/pts ;			 # Ignore this file
  !/dev/shm ;			 # Ignore this file
 }
@ -203,14 +204,14 @@ Temporary     = +pugt ;
  rulename = "OS Binaries and Libraries",
 )
 {
-  /bin                          -> $(ReadOnly) ;
+  /bin                          -> $(SEC_READONLY) ;
-  /lib                          -> $(ReadOnly) ;
+  /lib                          -> $(SEC_READONLY) ;
-  /sbin                         -> $(ReadOnly) ;
+  /sbin                         -> $(SEC_READONLY) ;
-  /usr/bin                      -> $(ReadOnly) ;
+  /usr/bin                      -> $(SEC_READONLY) ;
-  /usr/lib                      -> $(ReadOnly) ;
+  /usr/lib                      -> $(SEC_READONLY) ;
-  /usr/libexec                  -> $(ReadOnly) ;
+  /usr/libexec                  -> $(SEC_READONLY) ;
-  /usr/sbin                     -> $(ReadOnly) ;
+  /usr/sbin                     -> $(SEC_READONLY) ;
-  /usr/X11R6/lib                -> $(ReadOnly) ;
+  /usr/X11R6/lib                -> $(SEC_READONLY) ;
 }
  ################################################
 #                                              ##
@ -224,19 +225,19 @@ Temporary     = +pugt ;
 )
 {
  !/home/local;
-  /usr/local                    -> $(ReadOnly) ;
+  /usr/local                    -> $(SEC_READONLY) ;
-  /usr/local/bin                -> $(ReadOnly) ;
+  /usr/local/bin                -> $(SEC_READONLY) ;
-  /usr/local/doc                -> $(ReadOnly) ;
+  /usr/local/doc                -> $(SEC_READONLY) ;
-  /usr/local/etc                -> $(ReadOnly) ;
+  /usr/local/etc                -> $(SEC_READONLY) ;
-  /usr/local/games              -> $(ReadOnly) ;
+  /usr/local/games              -> $(SEC_READONLY) ;
-  /usr/local/include            -> $(ReadOnly) ;
+  /usr/local/include            -> $(SEC_READONLY) ;
-  /usr/local/lib                -> $(ReadOnly) ;
+  /usr/local/lib                -> $(SEC_READONLY) ;
-  /usr/local/libexec            -> $(ReadOnly) ;
+  /usr/local/libexec            -> $(SEC_READONLY) ;
-  /usr/local/man                -> $(ReadOnly) ;
+  /usr/local/man                -> $(SEC_READONLY) ;
-  /usr/local/sbin               -> $(ReadOnly) ;
+  /usr/local/sbin               -> $(SEC_READONLY) ;
-  /usr/local/share              -> $(ReadOnly) ;
+  /usr/local/share              -> $(SEC_READONLY) ;
-  /usr/local/src                -> $(ReadOnly) ;
+  /usr/local/src                -> $(SEC_READONLY) ;
-  /usr/local/sysinfo            -> $(ReadOnly) ;
+  /usr/local/sysinfo            -> $(SEC_READONLY) ;
 }
  ################################################
@ -250,29 +251,29 @@ Temporary     = +pugt ;
  rulename = "Root Directory and Files",
 )
 {
-  /root                         -> $(IgnoreNone) -SHa ;
+  /root                         -> $(SEC_IGNORE_NONE) -SHa ;
-  /root/.bashrc                 -> $(Dynamic) ;
+  /root/.bashrc                 -> $(SEC_DYNAMIC) ;
-  /root/.bash_history           -> $(Dynamic) ;
+  /root/.bash_history           -> $(SEC_DYNAMIC) ;
-  #/root/.bash_logout            -> $(Dynamic) ;
+  #/root/.bash_logout            -> $(SEC_DYNAMIC) ;
-  /root/.bash_profile           -> $(Dynamic) ;
+  /root/.bash_profile           -> $(SEC_DYNAMIC) ;
-  /root/.cshrc                  -> $(Dynamic) ;
+  /root/.cshrc                  -> $(SEC_DYNAMIC) ;
-  #/root/.enlightenment          -> $(Dynamic) ;
+  #/root/.enlightenment          -> $(SEC_DYNAMIC) ;
-  #/root/.esd-auth               -> $(Dynamic) ;
+  #/root/.esd-auth               -> $(SEC_DYNAMIC) ;
  !/root/.gconf ;
  !/root/.gconfd ;
-  #/root/.gnome                  -> $(Dynamic) ;
+  #/root/.gnome                  -> $(SEC_DYNAMIC) ;
-  #/root/.gnome-desktop          -> $(Dynamic) ;
+  #/root/.gnome-desktop          -> $(SEC_DYNAMIC) ;
-  #/root/.gnome2                 -> $(Dynamic) ;
+  #/root/.gnome2                 -> $(SEC_DYNAMIC) ;
-  #/root/.gtkrc                  -> $(Dynamic) ;
+  #/root/.gtkrc                  -> $(SEC_DYNAMIC) ;
-  #/root/.gtkrc-1.2-gnome2       -> $(Dynamic) ;
+  #/root/.gtkrc-1.2-gnome2       -> $(SEC_DYNAMIC) ;
-  #/root/.metacity               -> $(Dynamic) ;
+  #/root/.metacity               -> $(SEC_DYNAMIC) ;
-  #/root/.nautilus               -> $(Dynamic) ;
+  #/root/.nautilus               -> $(SEC_DYNAMIC) ;
-  #/root/.rhn-applet.conf        -> $(Dynamic) ;
+  #/root/.rhn-applet.conf        -> $(SEC_DYNAMIC) ;
-  #/root/.tcshrc                 -> $(Dynamic) ;
+  #/root/.tcshrc                 -> $(SEC_DYNAMIC) ;
-  #/root/.xauth                  -> $(Dynamic) ;
+  #/root/.xauth                  -> $(SEC_DYNAMIC) ;
-  #/root/.ICEauthority           -> $(Dynamic) ;
+  #/root/.ICEauthority           -> $(SEC_DYNAMIC) ;
-  #/root/.Xauthority             -> $(Dynamic) -i ;
+  #/root/.Xauthority             -> $(SEC_DYNAMIC) -i ;
-  #/root/.Xresources             -> $(Dynamic) ;
+  #/root/.Xresources             -> $(SEC_DYNAMIC) ;
 }
  ################################################
@ -286,12 +287,12 @@ Temporary     = +pugt ;
  rulename = "Temporary Directories",
 )
 {
-  /usr/tmp                      -> $(Temporary) ;
+  /usr/tmp                      -> $(SEC_TEMPORARY) ;
-  /var/tmp                      -> $(Temporary) ;
+  /var/tmp                      -> $(SEC_TEMPORARY) ;
-  /tmp                          -> $(Temporary) ;
+  /tmp                          -> $(SEC_TEMPORARY) ;
-  #/tmp/.fam-socket              -> $(Temporary) ;
+  #/tmp/.fam-socket              -> $(SEC_TEMPORARY) ;
-  #/tmp/.ICE-unix                -> $(Temporary) ;
+  #/tmp/.ICE-unix                -> $(SEC_TEMPORARY) ;
-  #/tmp/.X11-unix                -> $(Temporary) ;
+  #/tmp/.X11-unix                -> $(SEC_TEMPORARY) ;
  !/tmp/orbit-root ;
 }
@ -306,21 +307,21 @@ Temporary     = +pugt ;
  rulename = "System Boot Changes",
 )
 {
-  /.autofsck                    -> $(Dynamic) -m ;
+  /.autofsck                    -> $(SEC_DYNAMIC) -m ;
-  /var/cache/man/whatis         -> $(Growing) ;
+  /var/cache/man/whatis         -> $(SEC_GROWING) ;
-  /var/lib/logrotate.status     -> $(Growing) ;
+  /var/lib/logrotate.status     -> $(SEC_GROWING) ;
-  #/var/lib/nfs/statd            -> $(Growing) ;
+  #/var/lib/nfs/statd            -> $(SEC_GROWING) ;
  !/var/lib/random-seed ;
-  #/var/lib/slocate/slocate.db    -> $(Growing) -is ;
+  #/var/lib/slocate/slocate.db    -> $(SEC_GROWING) -is ;
-  /var/lock/subsys                -> $(Dynamic) -i ;
+  /var/lock/subsys                -> $(SEC_DYNAMIC) -i ;
-  /var/log                        -> $(Growing) -i ;
+  /var/log                        -> $(SEC_GROWING) -i ;
  !/var/log/sa;
  !/var/log/cisco;
-  /var/run                        -> $(Dynamic) -i ;
+  /var/run                        -> $(SEC_DYNAMIC) -i ;
-  /etc/cron.daily                 -> $(Growing);
+  /etc/cron.daily                 -> $(SEC_GROWING);
-  /etc/cron.weekly                -> $(Growing);
+  /etc/cron.weekly                -> $(SEC_GROWING);
-  /etc/cron.monthly               -> $(Growing);
+  /etc/cron.monthly               -> $(SEC_GROWING);
-  /var/spool/mail                 -> $(Growing);
+  /var/spool/mail                 -> $(SEC_GROWING);
 }
  ################################################
@ -334,10 +335,10 @@ Temporary     = +pugt ;
  rulename = "Monitor Filesystems",
 )
 {
-  /                             -> $(ReadOnly) ;
+  /                             -> $(SEC_READONLY) ;
-  /home                         -> $(ReadOnly) ;  # Modify as needed
+  /home                         -> $(SEC_READONLY) ;  # Modify as needed
-  /usr                          -> $(ReadOnly) ;
+  /usr                          -> $(SEC_READONLY) ;
-  /var                          -> $(ReadOnly) ;
+  /var                          -> $(SEC_READONLY) ;
 }
  ################################################
--- a/policy/twpol-MidnightBSD.txt
+++ b/policy/twpol-MidnightBSD.txt
@ -0,0 +1,664 @@
 #
 #                       Policy file for MidnightBSD
 #                         (adapted from FreeBSD policy)
 #
 # $FreeBSD: ports/security/tripwire/files/twpol.txt,v 1.2 2002/03/04 16:55:21 cy Exp $
 # $Id: twpol-FreeBSD.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $
 #
 # This is the example Tripwire Policy file.  It is intended as a place to
 # start creating your own custom Tripwire Policy file.  Referring to it as
 # well as the Tripwire Policy Guide should give you enough information to
 # make a good custom Tripwire Policy file that better covers your
 # configuration and security needs.  A text version of this policy file is
 # called twpol.txt.
 #
 # Note that this file is tuned to an install of FreeBSD using
 # buildworld.  If run unmodified, this file should create no errors on
 # database creation, or violations on a subsiquent integrity check.
 # However it is impossible for there to be one policy file for all machines,
 # so this existing one errs on the side of security.  Your FreeBSD
 # configuration will most likey differ from the one our policy file was
 # tuned to, and will therefore require some editing of the default
 # Tripwire Policy file.
 #
 # The example policy file is best run with 'Loose Directory Checking'
 # enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration
 # file.
 #
 # Email support is not included and must be added to this file.
 # Add the 'emailto=' to the rule directive section of each rule (add a comma
 # after the 'severity=' line and add an 'emailto=' and include the email
 # addresses you want the violation reports to go to).  Addresses are
 # semi-colon delimited.
 #
 #
 # Global Variable Definitions
 #
 # These are defined at install time by the installation script.  You may
 # Manually edit these if you are using this file directly and not from the
 # installation script itself.
 #
@@section GLOBAL
 TWROOT=;
 TWBIN=;
 TWPOL=;
 TWDB=;
 TWSKEY=;
 TWLKEY=;
 TWREPORT=;
 HOSTNAME=;
@@section FS
 SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
 SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
 SEC_GROWING       = +pinugtdl-srbamcCMSH ;
 SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
 SEC_IGNORE_NONE   = +pinugtsdrbamcCMSH-l ;
 SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
 SEC_TEMPORARY     = +pugt ;
 SEC_CRIT      = $(SEC_IGNORE_NONE)-SHa ; # Critical files that cannot change
 SEC_SUID      = $(SEC_IGNORE_NONE)-SHa ; # Binaries with the SUID or SGID flags set
 SEC_BIN       = $(SEC_READONLY) ;        # Binaries that should not change
 SEC_CONFIG    = $(SEC_DYNAMIC) ;         # Config files that are changed infrequently but accessed often
 SEC_TTY       = $(SEC_DYNAMIC)-ugp ;     # Tty files that change ownership at login
 SEC_LOG       = $(SEC_GROWING) ;         # Files that grow, but that should never change ownership
 SEC_INVARIANT = $(SEC_TEMPORARY) ;       # Directories that should never change permission or ownership
 SIG_LOW       = 33 ;                     # Non-critical files that are of minimal security impact
 SIG_MED       = 66 ;                     # Non-critical files that are of significant security impact
 SIG_HI        = 100 ;                    # Critical files that are significant points of vulnerability
 # Tripwire Binaries
 (
  rulename = "Tripwire Binaries",
  severity = $(SIG_HI)
 )
 {
  $(TWBIN)/siggen                      -> $(SEC_BIN) ;
  $(TWBIN)/tripwire                    -> $(SEC_BIN) ;
  $(TWBIN)/twadmin                     -> $(SEC_BIN) ;
  $(TWBIN)/twprint                     -> $(SEC_BIN) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
 (
  rulename = "Tripwire Data Files",
  severity = $(SIG_HI)
 )
 {
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.
  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
  $(TWDB)                              -> $(SEC_CONFIG) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_BIN) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_BIN) -i ;
  $(TWPOL)/twcfg.txt                   -> $(SEC_BIN) ;
  $(TWPOL)/twpol.txt                   -> $(SEC_BIN) ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_BIN) ;
  $(TWSKEY)/site.key                   -> $(SEC_BIN) ;
  #don't scan the individual reports
  $(TWREPORT)                          -> $(SEC_CONFIG) (recurse=0) ;
 }
 # Tripwire HQ Connector Binaries
 #(
 #  rulename = "Tripwire HQ Connector Binaries",
 #  severity = $(SIG_HI)
 #)
 #{
 #  $(TWBIN)/hqagent                     -> $(SEC_BIN) ;
 #}
 #
 # Tripwire HQ Connector - Configuration Files, Keys, and Logs
 #
 # Note: File locations here are different than in a stock HQ Connector
 # installation.  This is because Tripwire 2.3 uses a different path
 # structure than Tripwire 2.2.1.
 #
 # You may need to update your HQ Agent configuation file (or this policy
 # file) to correct the paths.  We have attempted to support the FHS standard
 # here by placing the HQ Agent files similarly to the way Tripwire 2.3
 # places them.
 #
 #(
 #  rulename = "Tripwire HQ Connector Data Files",
 #  severity = $(SIG_HI)
 #)
 #{
 #
 # # NOTE: Removing the inode attribute because when Tripwire creates a backup
 # # it does so by renaming the old file and creating a new one (which will
 # # have a new inode number).  Leaving inode turned on for keys, which
 # # shouldn't ever change.
 #
 #
 #  $(TWBIN)/agent.cfg                   -> $(SEC_BIN) -i ;
 #  $(TWLKEY)/authentication.key         -> $(SEC_BIN) ;
 #  $(TWDB)/tasks.dat                    -> $(SEC_CONFIG) ;
 #  $(TWDB)/schedule.dat                 -> $(SEC_CONFIG) ;
 #
 #  # Uncomment if you have agent logging enabled.
 #  #/var/log/tripwire/agent.log      -> $(SEC_LOG) ;
 #}
 # Commonly accessed directories that should remain static with regards to owner and group
 (
  rulename = "Invariant Directories",
  severity = $(SIG_MED)
 )
 {
  /                                    -> $(SEC_INVARIANT) (recurse = false) ;
  /home                                -> $(SEC_INVARIANT) (recurse = false) ;
 }
 #
 # First, root's "home"
 #
 (
  rulename = "Root's home",
  severity = $(SIG_HI)
 )
 {
  # /.rhosts				-> $(SEC_CRIT) ;
  /.profile				-> $(SEC_CRIT) ;
  /.cshrc				-> $(SEC_CRIT) ;
  /.login				-> $(SEC_CRIT) ;
  # /.exrc				-> $(SEC_CRIT) ;
  # /.logout				-> $(SEC_CRIT) ;
  # /.forward				-> $(SEC_CRIT) ;
  /root					-> $(SEC_CRIT) (recurse = true) ;
  !/root/.history ;
  !/root/.bash_history ;
  # !/root/.lsof_SYSTEM_NAME ;	# Uncomment if lsof is installed
 }
 #
 # FreeBSD Kernel
 #
 (
  rulename = "FreeBSD Kernel",
  severity = $(SIG_HI)
 )
 {
  /kernel				-> $(SEC_CRIT) ;
  /kernel.old				-> $(SEC_CRIT) ;
  /kernel.GENERIC			-> $(SEC_CRIT) ;
 }
 #
 # FreeBSD Modules
 #
 (
  rulename = "FreeBSD Modules",
  severity = $(SIG_HI)
 )
 {
  /modules				-> $(SEC_CRIT) (recurse = true) ;
  /modules.old				-> $(SEC_CRIT) (recurse = true) ;
  # /lkm				-> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld
 }
 #
 # System Administration Programs
 #
 (
  rulename = "System Administration Programs",
  severity = $(SIG_HI)
 )
 {
  /sbin					-> $(SEC_CRIT) (recurse = true) ;
  /usr/sbin				-> $(SEC_CRIT) (recurse = true) ;
 }
 #
 # User Utilities
 #
 (
  rulename = "User Utilities",
  severity = $(SIG_HI)
 )
 {
  /bin					-> $(SEC_CRIT) (recurse = true) ;
  /usr/bin				-> $(SEC_CRIT) (recurse = true) ;
 }
 #
 # /dev
 #
 (
  rulename = "/dev",
  severity = $(SIG_HI)
 )
 {
  /dev					-> $(Device) (recurse = true) ;
  !/dev/vga ;
  !/dev/dri ;
  /dev/console				-> $(SEC_TTY) ;
  /dev/ttyv0				-> $(SEC_TTY) ;
  /dev/ttyv1				-> $(SEC_TTY) ;
  /dev/ttyv2				-> $(SEC_TTY) ;
  /dev/ttyv3				-> $(SEC_TTY) ;
  /dev/ttyv4				-> $(SEC_TTY) ;
  /dev/ttyv5				-> $(SEC_TTY) ;
  /dev/ttyv6				-> $(SEC_TTY) ;
  /dev/ttyv7				-> $(SEC_TTY) ;
  /dev/ttyp0				-> $(SEC_TTY) ;
  /dev/ttyp1				-> $(SEC_TTY) ;
  /dev/ttyp2				-> $(SEC_TTY) ;
  /dev/ttyp3				-> $(SEC_TTY) ;
  /dev/ttyp4				-> $(SEC_TTY) ;
  /dev/ttyp5				-> $(SEC_TTY) ;
  /dev/ttyp6				-> $(SEC_TTY) ;
  /dev/ttyp7				-> $(SEC_TTY) ;
  /dev/ttyp8				-> $(SEC_TTY) ;
  /dev/ttyp9				-> $(SEC_TTY) ;
  /dev/ttypa				-> $(SEC_TTY) ;
  /dev/ttypb				-> $(SEC_TTY) ;
  /dev/ttypc				-> $(SEC_TTY) ;
  /dev/ttypd				-> $(SEC_TTY) ;
  /dev/ttype				-> $(SEC_TTY) ;
  /dev/ttypf				-> $(SEC_TTY) ;
  /dev/ttypg				-> $(SEC_TTY) ;
  /dev/ttyph				-> $(SEC_TTY) ;
  /dev/ttypi				-> $(SEC_TTY) ;
  /dev/ttypj				-> $(SEC_TTY) ;
  /dev/ttypl				-> $(SEC_TTY) ;
  /dev/ttypm				-> $(SEC_TTY) ;
  /dev/ttypn				-> $(SEC_TTY) ;
  /dev/ttypo				-> $(SEC_TTY) ;
  /dev/ttypp				-> $(SEC_TTY) ;
  /dev/ttypq				-> $(SEC_TTY) ;
  /dev/ttypr				-> $(SEC_TTY) ;
  /dev/ttyps				-> $(SEC_TTY) ;
  /dev/ttypt				-> $(SEC_TTY) ;
  /dev/ttypu				-> $(SEC_TTY) ;
  /dev/ttypv				-> $(SEC_TTY) ;
  /dev/cuaa0				-> $(SEC_TTY) ;	# modem
 }
 #
 # /etc
 #
 (
  rulename = "/etc",
  severity = $(SIG_HI)
 )
 {
  /etc					-> $(SEC_CRIT) (recurse = true) ;
  # /etc/mail/aliases			-> $(SEC_CONFIG) ;
  /etc/dumpdates			-> $(SEC_CONFIG) ;
  /etc/motd				-> $(SEC_CONFIG) ;
  !/etc/ppp/connect-errors ;
  /etc/skeykeys				-> $(SEC_CONFIG) ;
  # Uncomment the following 4 lines if your password file does not change
  # /etc/passwd				-> $(SEC_CONFIG) ;
  # /etc/master.passwd			-> $(SEC_CONFIG) ;
  # /etc/pwd.db				-> $(SEC_CONFIG) ;
  # /etc/spwd.db			-> $(SEC_CONFIG) ;
 }
 #
 # Copatibility (Linux)
 #
 (
  rulename = "Linux Compatibility",
  severity = $(SIG_HI)
 )
 {
  /compat				-> $(SEC_CRIT) (recurse = true) ;
 #
 # Uncomment the following if Linux compatibility is used.  Replace
 # HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port
 # installed.
 #
 #@@ifhost HOSTNAME1 || HOSTNAME2
 #  /compat/linux/etc			-> $(SEC_INVARIANT) (recurse = false) ;
 #  /compat/linux/etc/X11			-> $(SEC_CONFIG) (recurse = true) ;
 #  /compat/linux/etc/pam.d		-> $(SEC_CONFIG) (recurse = true) ;
 #  /compat/linux/etc/profile.d		-> $(SEC_CONFIG) (recurse = true) ;
 #  /compat/linux/etc/real		-> $(SEC_CONFIG) (recurse = true) ;
 #  /compat/linux/etc/bashrc		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/csh.login		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/host.conf		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/hosts.allow		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/hosts.deny		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/info-dir		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/inputrc		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/ld.so.conf		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/nsswitch.conf	-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/profile		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/redhat-release	-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/rpc			-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/securetty		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/shells		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/termcap		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/yp.conf		-> $(SEC_CONFIG) ;
 #  !/compat/linux/etc/ld.so.cache ;
 #  !/compat/linux/var/spool/mail ;
 #@@endif
 }
 #
 # Libraries, include files, and other system files
 #
 (
  rulename = "Libraries, include files, and other system files",
  severity = $(SIG_HI)
 )
 {
  /usr/include				-> $(SEC_CRIT) (recurse = true) ;
  /usr/lib				-> $(SEC_CRIT) (recurse = true) ;
  /usr/libdata				-> $(SEC_CRIT) (recurse = true) ;
  /usr/libexec				-> $(SEC_CRIT) (recurse = true) ;
  /usr/share				-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man			-> $(SEC_CONFIG) ;
  !/usr/share/man/whatis ;
  !/usr/share/man/.glimpse_filenames ;
  !/usr/share/man/.glimpse_filenames_index ;
  !/usr/share/man/.glimpse_filetimes ;
  !/usr/share/man/.glimpse_filters ;
  !/usr/share/man/.glimpse_index ;
  !/usr/share/man/.glimpse_messages ;
  !/usr/share/man/.glimpse_partitions ;
  !/usr/share/man/.glimpse_statistics ;
  !/usr/share/man/.glimpse_turbo ;
  /usr/share/man/man1			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man2			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man3			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man4			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man5			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man6			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man7			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man8			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man9			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/mann			-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/share/man/cat1 ;
  ! /usr/share/man/cat2 ;
  ! /usr/share/man/cat3 ;
  ! /usr/share/man/cat4 ;
  ! /usr/share/man/cat5 ;
  ! /usr/share/man/cat6 ;
  ! /usr/share/man/cat7 ;
  ! /usr/share/man/cat8 ;
  ! /usr/share/man/cat9 ;
  ! /usr/share/man/catl ;
  ! /usr/share/man/catn ;
  /usr/share/perl/man			-> $(SEC_CONFIG) ;
  !/usr/share/perl/man/whatis ;
  !/usr/share/perl/man/.glimpse_filenames ;
  !/usr/share/perl/man/.glimpse_filenames_index ;
  !/usr/share/perl/man/.glimpse_filetimes ;
  !/usr/share/perl/man/.glimpse_filters ;
  !/usr/share/perl/man/.glimpse_index ;
  !/usr/share/perl/man/.glimpse_messages ;
  !/usr/share/perl/man/.glimpse_partitions ;
  !/usr/share/perl/man/.glimpse_statistics ;
  !/usr/share/perl/man/.glimpse_turbo ;
  /usr/share/perl/man/man3		-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/share/perl/man/cat3 ;
  /usr/local/lib/perl5/5.00503/man	-> $(SEC_CONFIG) ;
  ! /usr/local/lib/perl5/5.00503/man/whatis ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_index ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ;
  /usr/local/lib/perl5/5.00503/man/man3		-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/local/lib/perl5/5.00503/man/cat3 ;
 }
 #
 # X11R6
 #
 (
  rulename = "X11R6",
  severity = $(SIG_HI)
 )
 {
  /usr/X11R6				-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/lib/X11/xdm		-> $(SEC_CONFIG) (recurse = true) ;
  !/usr/X11R6/lib/X11/xdm/xdm-errors ;
  !/usr/X11R6/lib/X11/xdm/authdir/authfiles ;
  !/usr/X11R6/lib/X11/xdm/xdm-pid ;
  /usr/X11R6/lib/X11/xkb/compiled	-> $(SEC_CONFIG) (recurse = true) ;
  /usr/X11R6/man			-> $(SEC_CONFIG) ;
  !/usr/X11R6/man/whatis ;
  !/usr/X11R6/man/.glimpse_filenames ;
  !/usr/X11R6/man/.glimpse_filenames_index ;
  !/usr/X11R6/man/.glimpse_filetimes ;
  !/usr/X11R6/man/.glimpse_filters ;
  !/usr/X11R6/man/.glimpse_index ;
  !/usr/X11R6/man/.glimpse_messages ;
  !/usr/X11R6/man/.glimpse_partitions ;
  !/usr/X11R6/man/.glimpse_statistics ;
  !/usr/X11R6/man/.glimpse_turbo ;
  /usr/X11R6/man/man1			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man2			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man3			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man4			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man5			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man6			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man7			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man8			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man9			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/manl			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/mann			-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/X11R6/man/cat1 ;
  ! /usr/X11R6/man/cat2 ;
  ! /usr/X11R6/man/cat3 ;
  ! /usr/X11R6/man/cat4 ;
  ! /usr/X11R6/man/cat5 ;
  ! /usr/X11R6/man/cat6 ;
  ! /usr/X11R6/man/cat7 ;
  ! /usr/X11R6/man/cat8 ;
  ! /usr/X11R6/man/cat9 ;
  ! /usr/X11R6/man/catl ;
  ! /usr/X11R6/man/catn ;
 }
 #
 # sources
 #
 (
  rulename = "Sources",
  severity = $(SIG_HI)
 )
 {
  /usr/src				-> $(SEC_CRIT) (recurse = true) ;
  /usr/src/sys/compile			-> $(SEC_CONFIG) (recurse = false) ;
 }
 #
 # NIS
 #
 (
  rulename = "NIS",
  severity = $(SIG_HI)
 )
 {
  /var/yp				-> $(SEC_CRIT) (recurse = true) ;
  !/var/yp/binding ;
 }
 #
 # Temporary directories
 #
 (
  rulename = "Temporary directories",
  recurse = false,
  severity = $(SIG_LOW)
 )
 {
  /usr/tmp                             -> $(SEC_INVARIANT) ;
  /var/tmp                             -> $(SEC_INVARIANT) ;
  /var/preserve                        -> $(SEC_INVARIANT) ;
  /tmp                                 -> $(SEC_INVARIANT) ;
 }
 #
 # Local files
 #
 (
  rulename = "Local files",
  severity = $(SIG_MED)
 )
 {
  /usr/local/bin			-> $(SEC_BIN) (recurse = true) ;
  /usr/local/sbin			-> $(SEC_BIN) (recurse = true) ;
  /usr/local/etc		 	-> $(SEC_BIN) (recurse = true) ;
  /usr/local/lib			-> $(SEC_BIN) (recurse = true ) ;
  /usr/local/libexec			-> $(SEC_BIN) (recurse = true ) ;
  /usr/local/share			-> $(SEC_BIN) (recurse = true ) ;
  /usr/local/man			-> $(SEC_CONFIG) ;
  !/usr/local/man/whatis ;
  !/usr/local/man/.glimpse_filenames ;
  !/usr/local/man/.glimpse_filenames_index ;
  !/usr/local/man/.glimpse_filetimes ;
  !/usr/local/man/.glimpse_filters ;
  !/usr/local/man/.glimpse_index ;
  !/usr/local/man/.glimpse_messages ;
  !/usr/local/man/.glimpse_partitions ;
  !/usr/local/man/.glimpse_statistics ;
  !/usr/local/man/.glimpse_turbo ;
  /usr/local/man/man1			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man2			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man3			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man4			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man5			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man6			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man7			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man8			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man9			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/manl			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/mann			-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/local/man/cat1 ;
  ! /usr/local/man/cat2 ;
  ! /usr/local/man/cat3 ;
  ! /usr/local/man/cat4 ;
  ! /usr/local/man/cat5 ;
  ! /usr/local/man/cat6 ;
  ! /usr/local/man/cat7 ;
  ! /usr/local/man/cat8 ;
  ! /usr/local/man/cat9 ;
  ! /usr/local/man/catl ;
  ! /usr/local/man/catn ;
  /usr/local/krb5			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man			-> $(SEC_CONFIG) ;
  !/usr/local/krb5/man/whatis ;
  !/usr/local/krb5/man/.glimpse_filenames ;
  !/usr/local/krb5/man/.glimpse_filenames_index ;
  !/usr/local/krb5/man/.glimpse_filetimes ;
  !/usr/local/krb5/man/.glimpse_filters ;
  !/usr/local/krb5/man/.glimpse_index ;
  !/usr/local/krb5/man/.glimpse_messages ;
  !/usr/local/krb5/man/.glimpse_partitions ;
  !/usr/local/krb5/man/.glimpse_statistics ;
  !/usr/local/krb5/man/.glimpse_turbo ;
  /usr/local/krb5/man/man1			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man2			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man3			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man4			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man5			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man6			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man7			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man8			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man9			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/manl			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/mann			-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/local/krb5/man/cat1 ;
  ! /usr/local/krb5/man/cat2 ;
  ! /usr/local/krb5/man/cat3 ;
  ! /usr/local/krb5/man/cat4 ;
  ! /usr/local/krb5/man/cat5 ;
  ! /usr/local/krb5/man/cat6 ;
  ! /usr/local/krb5/man/cat7 ;
  ! /usr/local/krb5/man/cat8 ;
  ! /usr/local/krb5/man/cat9 ;
  ! /usr/local/krb5/man/catl ;
  ! /usr/local/krb5/man/catn ;
  /usr/local/www			-> $(SEC_CONFIG) (recurse = true) ;
 }
 (
  rulename = "Security Control",
  severity = $(SIG_HI)
 )
 {
  /etc/group                           -> $(SEC_CRIT) ;
  /etc/crontab                         -> $(SEC_CRIT) ;
 }
 #=============================================================================
 #
 # Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
 # Inc. in the United States and other countries. All rights reserved.
 #
 # FreeBSD is a registered trademark of the FreeBSD Project Inc.
 #
 # UNIX is a registered trademark of The Open Group.
 #
 #=============================================================================
 #
 # Permission is granted to make and distribute verbatim copies of this document
 # provided the copyright notice and this permission notice are preserved on all
 # copies.
 #
 # Permission is granted to copy and distribute modified versions of this
 # document under the conditions for verbatim copying, provided that the entire
 # resulting derived work is distributed under the terms of a permission notice
 # identical to this one.
 #
 # Permission is granted to copy and distribute translations of this document
 # into another language, under the above conditions for modified versions,
 # except that this permission notice may be stated in a translation approved by
 # Tripwire, Inc.
 #
 # DCM
--- a/policy/twpol-Minix.txt
+++ b/policy/twpol-Minix.txt
@ -0,0 +1,176 @@
 ###############################################################################
 #                                                                            ##
 #    Default Tripwire 2.4 Policy file for Minix                              ##
 #                                                                            ##
 ###############################################################################
 ###############################################################################
 #                                                                            ##
 # Global Variable Definitions                                                ##
 #                                                                            ##
 # These are defined at install time by the installation script.  You may     ##
 # Manually edit these if you are using this file directly and not from the   ##
 # installation script itself.                                                ##
 #                                                                            ##
 ###############################################################################
@@section GLOBAL
 TWROOT=;
 TWBIN=;
 TWPOL=;
 TWDB=;
 TWSKEY=;
 TWLKEY=;
 TWREPORT=;
 HOSTNAME=;
 ##############################################################################
 #  Predefined Variables                                                      #
 ##############################################################################
 #
 #  Property Masks
 #
 #  -  ignore the following properties
 #  +  check the following properties
 #
 #  a  access timestamp (mutually exclusive with +CMSH)
 #  b  number of blocks allocated
 #  c  inode creation/modification timestamp
 #  d  ID of device on which inode resides
 #  g  group id of owner
 #  i  inode number
 #  l  growing files (logfiles for example)
 #  m  modification timestamp
 #  n  number of links
 #  p  permission and file mode bits
 #  r  ID of device pointed to by inode (valid only for device objects)
 #  s  file size
 #  t  file type
 #  u  user id of owner
 #
 #  C  CRC-32 hash
 #  H  HAVAL hash
 #  M  MD5 hash
 #  S  SHA hash
 #
 ##############################################################################
 SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
 SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
 SEC_GROWING       = +pinugtdl-srbamcCMSH ;
 SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
 SEC_IGNORE_NONE    = +pinugtsdrbamcCMSH-l ;
 SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
 SEC_TEMPORARY       = +pugt ;
@@section FS 
 #########################################
 #                                      ##
 #  Tripwire Binaries and Data Files    ##
 #                                      ##
 #########################################
 # Tripwire Binaries
 (
  rulename = "Tripwire Binaries",
 )
 {
  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
 (
  rulename = "Tripwire Data Files",
 )
 {
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.
  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
  # don't scan the individual reports
  $(TWREPORT)                          -> $(SEC_DYNAMIC) (recurse=0) ;
 }
 ##############################################################################
 (rulename="Boot files",)
 {
  /boot -> $(SEC_READONLY) -a;
  /boot_monitor -> $(SEC_READONLY) -a;
  /boot.cfg -> $(SEC_READONLY) -a;
 }
 (rulename="Binary files",)
 {
  /bin -> $(SEC_READONLY) -a;
  /usr/bin -> $(SEC_READONLY) -a;
  /usr/local/bin -> $(SEC_READONLY) -a;
  /usr/pkg/bin -> $(SEC_READONLY) -a;
 }
 (rulename="Development",)
 {
  /usr/pkg/gnu/bin -> $(SEC_READONLY) -a;
  /usr/pkg/i386-elf32-minix/bin -> $(SEC_READONLY) -a;
 }
 (rulename="Libexec",)
 {
  /usr/libexec -> $(SEC_READONLY) -a;
  /usr/pkg/libexec -> $(SEC_READONLY) -a;
 }
 (rulename="Admin binaries",)
 {
  /service -> $(SEC_READONLY) -a;
  /sbin -> $(SEC_READONLY) -a;
  /usr/sbin -> $(SEC_READONLY) -a;
  /usr/pkg/sbin -> $(SEC_READONLY) -a;
 }
 (rulename="Libraries",)
 {
  /lib -> $(SEC_READONLY) -a;
  /usr/lib -> $(SEC_READONLY) -a;
  /usr/pkg/lib -> $(SEC_READONLY) -a;
 }
 (rulename="Etc",)
 {
  /etc -> $(SEC_READONLY) -a;
  /usr/etc -> $(SEC_READONLY) -a;
  /usr/pkg/etc -> $(SEC_READONLY) -a;
 }
 (rulename="Dev",)
 {
  /dev -> $(SEC_DEVICE);
 }
 (rulename="Tmp",)
 {
  /tmp -> $(SEC_TEMPORARY);
  /var/tmp -> $(SEC_TEMPORARY);
  /usr/tmp -> $(SEC_TEMPORARY);
 }
 (rulename="Log",)
 {
  /var/log -> $(SEC_GROWING);
 }
--- a/policy/twpol-MirBSD.txt
+++ b/policy/twpol-MirBSD.txt
@ -0,0 +1,292 @@
  ##############################################################################
 #                                                                            ##
 ############################################################################## #
 #                                                                            # #
 #                      Tripwire 2.4 policy for MirOS BSD                     # #
 #                            updated March 2018                              # #
 #                                                                            ##
 ##############################################################################
  ##############################################################################
 #                                                                            ##
 ############################################################################## #
 #                                                                            # #
 # Global Variable Definitions                                                # #
 #                                                                            # #
 # These are defined at install time by the installation script.  You may     # #
 # manually edit these if you are using this file directly and not from the   # #
 # installation script itself.                                                # #
 #                                                                            ##
 ##############################################################################
@@section GLOBAL
 TWROOT=;
 TWBIN=;
 TWPOL=;
 TWDB=;
 TWSKEY=;
 TWLKEY=;
 TWREPORT=;
 HOSTNAME=;
  ##############################################################################
 #  Predefined Variables                                                      #
 ##############################################################################
 #
 #  Property Masks
 #
 #  -  ignore the following properties
 #  +  check the following properties
 #
 #  a  access timestamp (mutually exclusive with +CMSH)
 #  b  number of blocks allocated
 #  c  inode creation/modification timestamp
 #  d  ID of device on which inode resides
 #  g  group id of owner
 #  i  inode number
 #  l  growing files (logfiles for example)
 #  m  modification timestamp
 #  n  number of links
 #  p  permission and file mode bits
 #  r  ID of device pointed to by inode (valid only for device objects)
 #  s  file size
 #  t  file type
 #  u  user id of owner
 #
 #  C  CRC-32 hash
 #  H  HAVAL hash
 #  M  MD5 hash
 #  S  SHA hash
 #
 ##############################################################################
 SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
 SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
 SEC_GROWING       = +pinugtdl-srbamcCMSH ;
 SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
 SEC_IGNORE_NONE   = +pinugtsdrbamcCMSH-l ;
 SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
 SEC_TEMPORARY     = +pugt ;
@@section FS 
  ########################################
 #                                      ##
 ######################################## #
 #                                      # #
 #  Tripwire Binaries and Data Files    # #
 #                                      ##
 ########################################
 # Tripwire Binaries
 (
  rulename = "Tripwire Binaries",
 )
 {
  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
 (
  rulename = "Tripwire Data Files",
 )
 {
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.
  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
  # don't scan the individual reports
  $(TWREPORT)                          -> $(SEC_DYNAMIC) (recurse=0) ;
  # In this configuration /usr/local is a symbolic link to /home/local.
  # We want to ignore the following directories since they are already
  # scanned using the real directory or mount point.  Otherwise we see
  # duplicates in the reports.
  !/home/local ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  OS Boot and Configuration Files             # #
 #                                              ##
 ################################################
 (
  rulename = "OS Boot and Configuration Files",
 )
 {
  /boot                         -> $(SEC_READONLY) ;
  /bsd                          -> $(SEC_READONLY) ;
  /etc                          -> $(SEC_IGNORE_NONE) -SHa ;
 }
  ###################################################
 #                                                 ##
 ################################################### #
 #                                                 # #
 #  Mount Points                                   # #
 #                                                 ##
 ###################################################
 (
  rulename = "Mount Points",
 )
 {
  /                             -> $(SEC_READONLY) ;
  /cdrom                        -> $(SEC_DYNAMIC) ;
  /floppy                       -> $(SEC_DYNAMIC) ;
  /home                         -> $(SEC_READONLY) ;  # Modify as needed
  /mnt                          -> $(SEC_DYNAMIC) ;
  /usr                          -> $(SEC_READONLY) ;
  /var                          -> $(SEC_READONLY) ;
 }
  ###################################################
 #                                                 ##
 ################################################### #
 #                                                 # #
 #  Misc Top-Level Directories                     # #
 #                                                 ##
 ###################################################
 (
  rulename = "Misc Top-Level Directories",
 )
 {
  /altroot                      -> $(SEC_DYNAMIC) ;
  /stand                        -> $(SEC_DYNAMIC) ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #   System Devices                             # #
 #                                              ##
 ################################################
 (
  rulename = "System Devices",
 )
 {
  /dev                          -> $(SEC_DEVICE) ;
  /dev/fd                       -> $(SEC_DEVICE) ;
  /var/cron/tabs/.sock          -> $(SEC_DEVICE) ; 
  /var/empty/dev/log            -> $(SEC_DEVICE) ; 
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  OS Binaries and Libraries                   # #   
 #                                              ##
 ################################################
 (
  rulename = "OS Binaries and Libraries",
 )
 {
  /bin                          -> $(SEC_READONLY) ;
  /sbin                         -> $(SEC_READONLY) ;
  /usr/bin                      -> $(SEC_READONLY) ;
  /usr/lib                      -> $(SEC_READONLY) ;
  /usr/libexec                  -> $(SEC_READONLY) ;
  /usr/sbin                     -> $(SEC_READONLY) ;
  /usr/X11R6/bin                -> $(SEC_READONLY) ;
  /usr/X11R6/lib                -> $(SEC_READONLY) ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  Usr Local Files                             # #   
 #                                              ##
 ################################################
 #OK(
  #OKrulename = "Usr Local Files",
 #OK)
 #OK{
  #OK/usr/local                    -> $(SEC_READONLY) ;
  #OK/usr/local/bin                -> $(SEC_READONLY) ;
  #OK/usr/local/doc                -> $(SEC_READONLY) ;
  #OK/usr/local/etc                -> $(SEC_READONLY) ;
  #OK/usr/local/include            -> $(SEC_READONLY) ;
  #OK/usr/local/info               -> $(SEC_READONLY) ;
  #OK/usr/local/lib                -> $(SEC_READONLY) ;
  #OK/usr/local/libdata            -> $(SEC_READONLY) ;
  #OK/usr/local/libexec            -> $(SEC_READONLY) ;
  #OK/usr/local/man                -> $(SEC_READONLY) ;
  #OK/usr/local/sbin               -> $(SEC_READONLY) ;
  #OK/usr/local/share              -> $(SEC_READONLY) ;
  #OK/usr/local/src                -> $(SEC_READONLY) ;
 #OK}
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  Root Directory and Files                    # #
 #                                              ##
 ################################################
 (
  rulename = "Root Directory and Files",
 )
 {
  /root                          -> $(SEC_IGNORE_NONE) -SHa ;
  /root/.cshrc                   -> $(SEC_DYNAMIC) ;
  /root/.profile                 -> $(SEC_DYNAMIC) ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  Temporary Directories                       # #
 #                                              ##
 ################################################
 (
  rulename = "Temporary Directories",
 )
 {
  /tmp                          -> $(SEC_TEMPORARY) ;
  /var/tmp                      -> $(SEC_TEMPORARY) ;
 }
  ################################################
 #                                              ##
 ################################################ #
 #                                              # #
 #  System and Boot Changes                     # #
 #                                              ##
 ################################################
 (
  rulename = "System and Boot Changes",
 )
 {
  /var/backups                    -> $(SEC_DYNAMIC) -i ;
  /var/db/host.random             -> $(SEC_READONLY) -mCM ;
  /var/cron                       -> $(SEC_GROWING) -i ;
  /var/log                        -> $(SEC_GROWING) -i ;
  /var/run                        -> $(SEC_DYNAMIC) -i ;
  /var/mail                       -> $(SEC_GROWING) ;
  /var/msgs/bounds                -> $(SEC_READONLY) -smbCM ;
  /var/spool/clientmqueue         -> $(SEC_TEMPORARY) ;
  /var/spool/mqueue               -> $(SEC_TEMPORARY) ;
 }
 #
 # $Id: twpol-OpenBSD.txt,v 1.2 2004/05/14 21:56:21 pherman Exp $
 #
--- a/policy/twpol-NetBSD.txt
+++ b/policy/twpol-NetBSD.txt
@ -0,0 +1,664 @@
 #
 #                       Policy file for NetBSD
 #                         (adapted from FreeBSD policy)
 #
 # $FreeBSD: ports/security/tripwire/files/twpol.txt,v 1.2 2002/03/04 16:55:21 cy Exp $
 # $Id: twpol-FreeBSD.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $
 #
 # This is the example Tripwire Policy file.  It is intended as a place to
 # start creating your own custom Tripwire Policy file.  Referring to it as
 # well as the Tripwire Policy Guide should give you enough information to
 # make a good custom Tripwire Policy file that better covers your
 # configuration and security needs.  A text version of this policy file is
 # called twpol.txt.
 #
 # Note that this file is tuned to an install of FreeBSD using
 # buildworld.  If run unmodified, this file should create no errors on
 # database creation, or violations on a subsiquent integrity check.
 # However it is impossible for there to be one policy file for all machines,
 # so this existing one errs on the side of security.  Your FreeBSD
 # configuration will most likey differ from the one our policy file was
 # tuned to, and will therefore require some editing of the default
 # Tripwire Policy file.
 #
 # The example policy file is best run with 'Loose Directory Checking'
 # enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration
 # file.
 #
 # Email support is not included and must be added to this file.
 # Add the 'emailto=' to the rule directive section of each rule (add a comma
 # after the 'severity=' line and add an 'emailto=' and include the email
 # addresses you want the violation reports to go to).  Addresses are
 # semi-colon delimited.
 #
 #
 # Global Variable Definitions
 #
 # These are defined at install time by the installation script.  You may
 # Manually edit these if you are using this file directly and not from the
 # installation script itself.
 #
@@section GLOBAL
 TWROOT=;
 TWBIN=;
 TWPOL=;
 TWDB=;
 TWSKEY=;
 TWLKEY=;
 TWREPORT=;
 HOSTNAME=;
@@section FS
 SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
 SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
 SEC_GROWING       = +pinugtdl-srbamcCMSH ;
 SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
 SEC_IGNORE_NONE   = +pinugtsdrbamcCMSH-l ;
 SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
 SEC_TEMPORARY     = +pugt ;
 SEC_CRIT      = $(SEC_IGNORE_NONE)-SHa ; # Critical files that cannot change
 SEC_SUID      = $(SEC_IGNORE_NONE)-SHa ; # Binaries with the SUID or SGID flags set
 SEC_BIN       = $(SEC_READONLY) ;        # Binaries that should not change
 SEC_CONFIG    = $(SEC_DYNAMIC) ;         # Config files that are changed infrequently but accessed often
 SEC_TTY       = $(SEC_DYNAMIC)-ugp ;     # Tty files that change ownership at login
 SEC_LOG       = $(SEC_GROWING) ;         # Files that grow, but that should never change ownership
 SEC_INVARIANT = $(SEC_TEMPORARY) ;       # Directories that should never change permission or ownership
 SIG_LOW       = 33 ;                     # Non-critical files that are of minimal security impact
 SIG_MED       = 66 ;                     # Non-critical files that are of significant security impact
 SIG_HI        = 100 ;                    # Critical files that are significant points of vulnerability
 # Tripwire Binaries
 (
  rulename = "Tripwire Binaries",
  severity = $(SIG_HI)
 )
 {
  $(TWBIN)/siggen                      -> $(SEC_BIN) ;
  $(TWBIN)/tripwire                    -> $(SEC_BIN) ;
  $(TWBIN)/twadmin                     -> $(SEC_BIN) ;
  $(TWBIN)/twprint                     -> $(SEC_BIN) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
 (
  rulename = "Tripwire Data Files",
  severity = $(SIG_HI)
 )
 {
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.
  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
  $(TWDB)                              -> $(SEC_CONFIG) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_BIN) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_BIN) -i ;
  $(TWPOL)/twcfg.txt                   -> $(SEC_BIN) ;
  $(TWPOL)/twpol.txt                   -> $(SEC_BIN) ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_BIN) ;
  $(TWSKEY)/site.key                   -> $(SEC_BIN) ;
  #don't scan the individual reports
  $(TWREPORT)                          -> $(SEC_CONFIG) (recurse=0) ;
 }
 # Tripwire HQ Connector Binaries
 #(
 #  rulename = "Tripwire HQ Connector Binaries",
 #  severity = $(SIG_HI)
 #)
 #{
 #  $(TWBIN)/hqagent                     -> $(SEC_BIN) ;
 #}
 #
 # Tripwire HQ Connector - Configuration Files, Keys, and Logs
 #
 # Note: File locations here are different than in a stock HQ Connector
 # installation.  This is because Tripwire 2.3 uses a different path
 # structure than Tripwire 2.2.1.
 #
 # You may need to update your HQ Agent configuation file (or this policy
 # file) to correct the paths.  We have attempted to support the FHS standard
 # here by placing the HQ Agent files similarly to the way Tripwire 2.3
 # places them.
 #
 #(
 #  rulename = "Tripwire HQ Connector Data Files",
 #  severity = $(SIG_HI)
 #)
 #{
 #
 # # NOTE: Removing the inode attribute because when Tripwire creates a backup
 # # it does so by renaming the old file and creating a new one (which will
 # # have a new inode number).  Leaving inode turned on for keys, which
 # # shouldn't ever change.
 #
 #
 #  $(TWBIN)/agent.cfg                   -> $(SEC_BIN) -i ;
 #  $(TWLKEY)/authentication.key         -> $(SEC_BIN) ;
 #  $(TWDB)/tasks.dat                    -> $(SEC_CONFIG) ;
 #  $(TWDB)/schedule.dat                 -> $(SEC_CONFIG) ;
 #
 #  # Uncomment if you have agent logging enabled.
 #  #/var/log/tripwire/agent.log      -> $(SEC_LOG) ;
 #}
 # Commonly accessed directories that should remain static with regards to owner and group
 (
  rulename = "Invariant Directories",
  severity = $(SIG_MED)
 )
 {
  /                                    -> $(SEC_INVARIANT) (recurse = false) ;
  /home                                -> $(SEC_INVARIANT) (recurse = false) ;
 }
 #
 # First, root's "home"
 #
 (
  rulename = "Root's home",
  severity = $(SIG_HI)
 )
 {
  # /.rhosts				-> $(SEC_CRIT) ;
  /.profile				-> $(SEC_CRIT) ;
  /.cshrc				-> $(SEC_CRIT) ;
  /.login				-> $(SEC_CRIT) ;
  # /.exrc				-> $(SEC_CRIT) ;
  # /.logout				-> $(SEC_CRIT) ;
  # /.forward				-> $(SEC_CRIT) ;
  /root					-> $(SEC_CRIT) (recurse = true) ;
  !/root/.history ;
  !/root/.bash_history ;
  # !/root/.lsof_SYSTEM_NAME ;	# Uncomment if lsof is installed
 }
 #
 # FreeBSD Kernel
 #
 (
  rulename = "FreeBSD Kernel",
  severity = $(SIG_HI)
 )
 {
  /kernel				-> $(SEC_CRIT) ;
  /kernel.old				-> $(SEC_CRIT) ;
  /kernel.GENERIC			-> $(SEC_CRIT) ;
 }
 #
 # FreeBSD Modules
 #
 (
  rulename = "FreeBSD Modules",
  severity = $(SIG_HI)
 )
 {
  /modules				-> $(SEC_CRIT) (recurse = true) ;
  /modules.old				-> $(SEC_CRIT) (recurse = true) ;
  # /lkm				-> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld
 }
 #
 # System Administration Programs
 #
 (
  rulename = "System Administration Programs",
  severity = $(SIG_HI)
 )
 {
  /sbin					-> $(SEC_CRIT) (recurse = true) ;
  /usr/sbin				-> $(SEC_CRIT) (recurse = true) ;
 }
 #
 # User Utilities
 #
 (
  rulename = "User Utilities",
  severity = $(SIG_HI)
 )
 {
  /bin					-> $(SEC_CRIT) (recurse = true) ;
  /usr/bin				-> $(SEC_CRIT) (recurse = true) ;
 }
 #
 # /dev
 #
 (
  rulename = "/dev",
  severity = $(SIG_HI)
 )
 {
  /dev					-> $(Device) (recurse = true) ;
  !/dev/vga ;
  !/dev/dri ;
  /dev/console				-> $(SEC_TTY) ;
  /dev/ttyv0				-> $(SEC_TTY) ;
  /dev/ttyv1				-> $(SEC_TTY) ;
  /dev/ttyv2				-> $(SEC_TTY) ;
  /dev/ttyv3				-> $(SEC_TTY) ;
  /dev/ttyv4				-> $(SEC_TTY) ;
  /dev/ttyv5				-> $(SEC_TTY) ;
  /dev/ttyv6				-> $(SEC_TTY) ;
  /dev/ttyv7				-> $(SEC_TTY) ;
  /dev/ttyp0				-> $(SEC_TTY) ;
  /dev/ttyp1				-> $(SEC_TTY) ;
  /dev/ttyp2				-> $(SEC_TTY) ;
  /dev/ttyp3				-> $(SEC_TTY) ;
  /dev/ttyp4				-> $(SEC_TTY) ;
  /dev/ttyp5				-> $(SEC_TTY) ;
  /dev/ttyp6				-> $(SEC_TTY) ;
  /dev/ttyp7				-> $(SEC_TTY) ;
  /dev/ttyp8				-> $(SEC_TTY) ;
  /dev/ttyp9				-> $(SEC_TTY) ;
  /dev/ttypa				-> $(SEC_TTY) ;
  /dev/ttypb				-> $(SEC_TTY) ;
  /dev/ttypc				-> $(SEC_TTY) ;
  /dev/ttypd				-> $(SEC_TTY) ;
  /dev/ttype				-> $(SEC_TTY) ;
  /dev/ttypf				-> $(SEC_TTY) ;
  /dev/ttypg				-> $(SEC_TTY) ;
  /dev/ttyph				-> $(SEC_TTY) ;
  /dev/ttypi				-> $(SEC_TTY) ;
  /dev/ttypj				-> $(SEC_TTY) ;
  /dev/ttypl				-> $(SEC_TTY) ;
  /dev/ttypm				-> $(SEC_TTY) ;
  /dev/ttypn				-> $(SEC_TTY) ;
  /dev/ttypo				-> $(SEC_TTY) ;
  /dev/ttypp				-> $(SEC_TTY) ;
  /dev/ttypq				-> $(SEC_TTY) ;
  /dev/ttypr				-> $(SEC_TTY) ;
  /dev/ttyps				-> $(SEC_TTY) ;
  /dev/ttypt				-> $(SEC_TTY) ;
  /dev/ttypu				-> $(SEC_TTY) ;
  /dev/ttypv				-> $(SEC_TTY) ;
  /dev/cuaa0				-> $(SEC_TTY) ;	# modem
 }
 #
 # /etc
 #
 (
  rulename = "/etc",
  severity = $(SIG_HI)
 )
 {
  /etc					-> $(SEC_CRIT) (recurse = true) ;
  # /etc/mail/aliases			-> $(SEC_CONFIG) ;
  /etc/dumpdates			-> $(SEC_CONFIG) ;
  /etc/motd				-> $(SEC_CONFIG) ;
  !/etc/ppp/connect-errors ;
  /etc/skeykeys				-> $(SEC_CONFIG) ;
  # Uncomment the following 4 lines if your password file does not change
  # /etc/passwd				-> $(SEC_CONFIG) ;
  # /etc/master.passwd			-> $(SEC_CONFIG) ;
  # /etc/pwd.db				-> $(SEC_CONFIG) ;
  # /etc/spwd.db			-> $(SEC_CONFIG) ;
 }
 #
 # Copatibility (Linux)
 #
 (
  rulename = "Linux Compatibility",
  severity = $(SIG_HI)
 )
 {
  /compat				-> $(SEC_CRIT) (recurse = true) ;
 #
 # Uncomment the following if Linux compatibility is used.  Replace
 # HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port
 # installed.
 #
 #@@ifhost HOSTNAME1 || HOSTNAME2
 #  /compat/linux/etc			-> $(SEC_INVARIANT) (recurse = false) ;
 #  /compat/linux/etc/X11			-> $(SEC_CONFIG) (recurse = true) ;
 #  /compat/linux/etc/pam.d		-> $(SEC_CONFIG) (recurse = true) ;
 #  /compat/linux/etc/profile.d		-> $(SEC_CONFIG) (recurse = true) ;
 #  /compat/linux/etc/real		-> $(SEC_CONFIG) (recurse = true) ;
 #  /compat/linux/etc/bashrc		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/csh.login		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/host.conf		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/hosts.allow		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/hosts.deny		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/info-dir		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/inputrc		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/ld.so.conf		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/nsswitch.conf	-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/profile		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/redhat-release	-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/rpc			-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/securetty		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/shells		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/termcap		-> $(SEC_CONFIG) ;
 #  /compat/linux/etc/yp.conf		-> $(SEC_CONFIG) ;
 #  !/compat/linux/etc/ld.so.cache ;
 #  !/compat/linux/var/spool/mail ;
 #@@endif
 }
 #
 # Libraries, include files, and other system files
 #
 (
  rulename = "Libraries, include files, and other system files",
  severity = $(SIG_HI)
 )
 {
  /usr/include				-> $(SEC_CRIT) (recurse = true) ;
  /usr/lib				-> $(SEC_CRIT) (recurse = true) ;
  /usr/libdata				-> $(SEC_CRIT) (recurse = true) ;
  /usr/libexec				-> $(SEC_CRIT) (recurse = true) ;
  /usr/share				-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man			-> $(SEC_CONFIG) ;
  !/usr/share/man/whatis ;
  !/usr/share/man/.glimpse_filenames ;
  !/usr/share/man/.glimpse_filenames_index ;
  !/usr/share/man/.glimpse_filetimes ;
  !/usr/share/man/.glimpse_filters ;
  !/usr/share/man/.glimpse_index ;
  !/usr/share/man/.glimpse_messages ;
  !/usr/share/man/.glimpse_partitions ;
  !/usr/share/man/.glimpse_statistics ;
  !/usr/share/man/.glimpse_turbo ;
  /usr/share/man/man1			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man2			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man3			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man4			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man5			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man6			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man7			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man8			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/man9			-> $(SEC_CRIT) (recurse = true) ;
  /usr/share/man/mann			-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/share/man/cat1 ;
  ! /usr/share/man/cat2 ;
  ! /usr/share/man/cat3 ;
  ! /usr/share/man/cat4 ;
  ! /usr/share/man/cat5 ;
  ! /usr/share/man/cat6 ;
  ! /usr/share/man/cat7 ;
  ! /usr/share/man/cat8 ;
  ! /usr/share/man/cat9 ;
  ! /usr/share/man/catl ;
  ! /usr/share/man/catn ;
  /usr/share/perl/man			-> $(SEC_CONFIG) ;
  !/usr/share/perl/man/whatis ;
  !/usr/share/perl/man/.glimpse_filenames ;
  !/usr/share/perl/man/.glimpse_filenames_index ;
  !/usr/share/perl/man/.glimpse_filetimes ;
  !/usr/share/perl/man/.glimpse_filters ;
  !/usr/share/perl/man/.glimpse_index ;
  !/usr/share/perl/man/.glimpse_messages ;
  !/usr/share/perl/man/.glimpse_partitions ;
  !/usr/share/perl/man/.glimpse_statistics ;
  !/usr/share/perl/man/.glimpse_turbo ;
  /usr/share/perl/man/man3		-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/share/perl/man/cat3 ;
  /usr/local/lib/perl5/5.00503/man	-> $(SEC_CONFIG) ;
  ! /usr/local/lib/perl5/5.00503/man/whatis ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_index ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ;
  ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ;
  /usr/local/lib/perl5/5.00503/man/man3		-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/local/lib/perl5/5.00503/man/cat3 ;
 }
 #
 # X11R6
 #
 (
  rulename = "X11R6",
  severity = $(SIG_HI)
 )
 {
  /usr/X11R6				-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/lib/X11/xdm		-> $(SEC_CONFIG) (recurse = true) ;
  !/usr/X11R6/lib/X11/xdm/xdm-errors ;
  !/usr/X11R6/lib/X11/xdm/authdir/authfiles ;
  !/usr/X11R6/lib/X11/xdm/xdm-pid ;
  /usr/X11R6/lib/X11/xkb/compiled	-> $(SEC_CONFIG) (recurse = true) ;
  /usr/X11R6/man			-> $(SEC_CONFIG) ;
  !/usr/X11R6/man/whatis ;
  !/usr/X11R6/man/.glimpse_filenames ;
  !/usr/X11R6/man/.glimpse_filenames_index ;
  !/usr/X11R6/man/.glimpse_filetimes ;
  !/usr/X11R6/man/.glimpse_filters ;
  !/usr/X11R6/man/.glimpse_index ;
  !/usr/X11R6/man/.glimpse_messages ;
  !/usr/X11R6/man/.glimpse_partitions ;
  !/usr/X11R6/man/.glimpse_statistics ;
  !/usr/X11R6/man/.glimpse_turbo ;
  /usr/X11R6/man/man1			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man2			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man3			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man4			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man5			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man6			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man7			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man8			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/man9			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/manl			-> $(SEC_CRIT) (recurse = true) ;
  /usr/X11R6/man/mann			-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/X11R6/man/cat1 ;
  ! /usr/X11R6/man/cat2 ;
  ! /usr/X11R6/man/cat3 ;
  ! /usr/X11R6/man/cat4 ;
  ! /usr/X11R6/man/cat5 ;
  ! /usr/X11R6/man/cat6 ;
  ! /usr/X11R6/man/cat7 ;
  ! /usr/X11R6/man/cat8 ;
  ! /usr/X11R6/man/cat9 ;
  ! /usr/X11R6/man/catl ;
  ! /usr/X11R6/man/catn ;
 }
 #
 # sources
 #
 (
  rulename = "Sources",
  severity = $(SIG_HI)
 )
 {
  /usr/src				-> $(SEC_CRIT) (recurse = true) ;
  /usr/src/sys/compile			-> $(SEC_CONFIG) (recurse = false) ;
 }
 #
 # NIS
 #
 (
  rulename = "NIS",
  severity = $(SIG_HI)
 )
 {
  /var/yp				-> $(SEC_CRIT) (recurse = true) ;
  !/var/yp/binding ;
 }
 #
 # Temporary directories
 #
 (
  rulename = "Temporary directories",
  recurse = false,
  severity = $(SIG_LOW)
 )
 {
  /usr/tmp                             -> $(SEC_INVARIANT) ;
  /var/tmp                             -> $(SEC_INVARIANT) ;
  /var/preserve                        -> $(SEC_INVARIANT) ;
  /tmp                                 -> $(SEC_INVARIANT) ;
 }
 #
 # Local files
 #
 (
  rulename = "Local files",
  severity = $(SIG_MED)
 )
 {
  /usr/local/bin			-> $(SEC_BIN) (recurse = true) ;
  /usr/local/sbin			-> $(SEC_BIN) (recurse = true) ;
  /usr/local/etc		 	-> $(SEC_BIN) (recurse = true) ;
  /usr/local/lib			-> $(SEC_BIN) (recurse = true ) ;
  /usr/local/libexec			-> $(SEC_BIN) (recurse = true ) ;
  /usr/local/share			-> $(SEC_BIN) (recurse = true ) ;
  /usr/local/man			-> $(SEC_CONFIG) ;
  !/usr/local/man/whatis ;
  !/usr/local/man/.glimpse_filenames ;
  !/usr/local/man/.glimpse_filenames_index ;
  !/usr/local/man/.glimpse_filetimes ;
  !/usr/local/man/.glimpse_filters ;
  !/usr/local/man/.glimpse_index ;
  !/usr/local/man/.glimpse_messages ;
  !/usr/local/man/.glimpse_partitions ;
  !/usr/local/man/.glimpse_statistics ;
  !/usr/local/man/.glimpse_turbo ;
  /usr/local/man/man1			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man2			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man3			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man4			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man5			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man6			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man7			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man8			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/man9			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/manl			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/man/mann			-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/local/man/cat1 ;
  ! /usr/local/man/cat2 ;
  ! /usr/local/man/cat3 ;
  ! /usr/local/man/cat4 ;
  ! /usr/local/man/cat5 ;
  ! /usr/local/man/cat6 ;
  ! /usr/local/man/cat7 ;
  ! /usr/local/man/cat8 ;
  ! /usr/local/man/cat9 ;
  ! /usr/local/man/catl ;
  ! /usr/local/man/catn ;
  /usr/local/krb5			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man			-> $(SEC_CONFIG) ;
  !/usr/local/krb5/man/whatis ;
  !/usr/local/krb5/man/.glimpse_filenames ;
  !/usr/local/krb5/man/.glimpse_filenames_index ;
  !/usr/local/krb5/man/.glimpse_filetimes ;
  !/usr/local/krb5/man/.glimpse_filters ;
  !/usr/local/krb5/man/.glimpse_index ;
  !/usr/local/krb5/man/.glimpse_messages ;
  !/usr/local/krb5/man/.glimpse_partitions ;
  !/usr/local/krb5/man/.glimpse_statistics ;
  !/usr/local/krb5/man/.glimpse_turbo ;
  /usr/local/krb5/man/man1			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man2			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man3			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man4			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man5			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man6			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man7			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man8			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/man9			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/manl			-> $(SEC_CRIT) (recurse = true) ;
  /usr/local/krb5/man/mann			-> $(SEC_CRIT) (recurse = true) ;
  ! /usr/local/krb5/man/cat1 ;
  ! /usr/local/krb5/man/cat2 ;
  ! /usr/local/krb5/man/cat3 ;
  ! /usr/local/krb5/man/cat4 ;
  ! /usr/local/krb5/man/cat5 ;
  ! /usr/local/krb5/man/cat6 ;
  ! /usr/local/krb5/man/cat7 ;
  ! /usr/local/krb5/man/cat8 ;
  ! /usr/local/krb5/man/cat9 ;
  ! /usr/local/krb5/man/catl ;
  ! /usr/local/krb5/man/catn ;
  /usr/local/www			-> $(SEC_CONFIG) (recurse = true) ;
 }
 (
  rulename = "Security Control",
  severity = $(SIG_HI)
 )
 {
  /etc/group                           -> $(SEC_CRIT) ;
  /etc/crontab                         -> $(SEC_CRIT) ;
 }
 #=============================================================================
 #
 # Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
 # Inc. in the United States and other countries. All rights reserved.
 #
 # FreeBSD is a registered trademark of the FreeBSD Project Inc.
 #
 # UNIX is a registered trademark of The Open Group.
 #
 #=============================================================================
 #
 # Permission is granted to make and distribute verbatim copies of this document
 # provided the copyright notice and this permission notice are preserved on all
 # copies.
 #
 # Permission is granted to copy and distribute modified versions of this
 # document under the conditions for verbatim copying, provided that the entire
 # resulting derived work is distributed under the terms of a permission notice
 # identical to this one.
 #
 # Permission is granted to copy and distribute translations of this document
 # into another language, under the above conditions for modified versions,
 # except that this permission notice may be stated in a translation approved by
 # Tripwire, Inc.
 #
 # DCM
--- a/policy/twpol-OpenBSD.txt
+++ b/policy/twpol-OpenBSD.txt
@ -2,8 +2,8 @@
 #                                                                            ##
 ############################################################################## #
 #                                                                            # #
-#                      Policy file for OpenBSD 3.5                           # #
+#                      Tripwire 2.4 policy for OpenBSD                       # #
-#                             May 20, 2003                                   # #
+#                            updated March 2018                              # #
 #                                                                            ##
 ##############################################################################
@ -60,13 +60,13 @@ HOSTNAME=;
 #
 ##############################################################################
-Device        = +pugsdr-intlbamcCMSH ;
+SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
-Dynamic       = +pinugtd-srlbamcCMSH ;
+SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
-Growing       = +pinugtdl-srbamcCMSH ;
+SEC_GROWING       = +pinugtdl-srbamcCMSH ;
-IgnoreAll     = -pinugtsdrlbamcCMSH ;
+SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
-IgnoreNone    = +pinugtsdrbamcCMSH-l ;
+SEC_IGNORE_NONE   = +pinugtsdrbamcCMSH-l ;
-ReadOnly      = +pinugtsdbmCM-rlacSH ;
+SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
-Temporary     = +pugt ;
+SEC_TEMPORARY     = +pugt ;
@@section FS 
@ -83,10 +83,10 @@ Temporary     = +pugt ;
  rulename = "Tripwire Binaries",
 )
 {
-  $(TWBIN)/siggen                      -> $(ReadOnly) ;
+  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
-  $(TWBIN)/tripwire                    -> $(ReadOnly) ;
+  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
-  $(TWBIN)/twadmin                     -> $(ReadOnly) ;
+  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
-  $(TWBIN)/twprint                     -> $(ReadOnly) ;
+  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -103,14 +103,14 @@ Temporary     = +pugt ;
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
-  $(TWDB)                              -> $(Dynamic) -i ;
+  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
-  $(TWPOL)/tw.pol                      -> $(ReadOnly) -i ;
+  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
-  $(TWPOL)/tw.cfg                      -> $(ReadOnly) -i ;
+  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
-  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(ReadOnly) ;
+  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
-  $(TWSKEY)/site.key                   -> $(ReadOnly) ;
+  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
  # don't scan the individual reports
-  $(TWREPORT)                          -> $(Dynamic) (recurse=0) ;
+  $(TWREPORT)                          -> $(SEC_DYNAMIC) (recurse=0) ;
  # In this configuration /usr/local is a symbolic link to /home/local.
  # We want to ignore the following directories since they are already
@ -131,9 +131,9 @@ Temporary     = +pugt ;
  rulename = "OS Boot and Configuration Files",
 )
 {
-  /boot                         -> $(ReadOnly) ;
+  /boot                         -> $(SEC_READONLY) ;
-  /bsd                          -> $(ReadOnly) ;
+  /bsd                          -> $(SEC_READONLY) ;
-  /etc                          -> $(IgnoreNone) -SHa ;
+  /etc                          -> $(SEC_IGNORE_NONE) -SHa ;
 }
  ###################################################
@ -147,13 +147,13 @@ Temporary     = +pugt ;
  rulename = "Mount Points",
 )
 {
-  /                             -> $(ReadOnly) ;
+  /                             -> $(SEC_READONLY) ;
-  /cdrom                        -> $(Dynamic) ;
+  /cdrom                        -> $(SEC_DYNAMIC) ;
-  /floppy                       -> $(Dynamic) ;
+  /floppy                       -> $(SEC_DYNAMIC) ;
-  /home                         -> $(ReadOnly) ;  # Modify as needed
+  /home                         -> $(SEC_READONLY) ;  # Modify as needed
-  /mnt                          -> $(Dynamic) ;
+  /mnt                          -> $(SEC_DYNAMIC) ;
-  /usr                          -> $(ReadOnly) ;
+  /usr                          -> $(SEC_READONLY) ;
-  /var                          -> $(ReadOnly) ;
+  /var                          -> $(SEC_READONLY) ;
 }
  ###################################################
@ -167,8 +167,8 @@ Temporary     = +pugt ;
  rulename = "Misc Top-Level Directories",
 )
 {
-  /altroot                      -> $(Dynamic) ;
+  /altroot                      -> $(SEC_DYNAMIC) ;
-  /stand                        -> $(Dynamic) ;
+  /stand                        -> $(SEC_DYNAMIC) ;
 }
  ################################################
@ -182,10 +182,10 @@ Temporary     = +pugt ;
  rulename = "System Devices",
 )
 {
-  /dev                          -> $(Device) ;
+  /dev                          -> $(SEC_DEVICE) ;
-  /dev/fd                       -> $(Device) ;
+  /dev/fd                       -> $(SEC_DEVICE) ;
-  /var/cron/tabs/.sock          -> $(Device) ; 
+  /var/cron/tabs/.sock          -> $(SEC_DEVICE) ; 
-  /var/empty/dev/log            -> $(Device) ; 
+  /var/empty/dev/log            -> $(SEC_DEVICE) ; 
 }
  ################################################
@ -199,14 +199,14 @@ Temporary     = +pugt ;
  rulename = "OS Binaries and Libraries",
 )
 {
-  /bin                          -> $(ReadOnly) ;
+  /bin                          -> $(SEC_READONLY) ;
-  /sbin                         -> $(ReadOnly) ;
+  /sbin                         -> $(SEC_READONLY) ;
-  /usr/bin                      -> $(ReadOnly) ;
+  /usr/bin                      -> $(SEC_READONLY) ;
-  /usr/lib                      -> $(ReadOnly) ;
+  /usr/lib                      -> $(SEC_READONLY) ;
-  /usr/libexec                  -> $(ReadOnly) ;
+  /usr/libexec                  -> $(SEC_READONLY) ;
-  /usr/sbin                     -> $(ReadOnly) ;
+  /usr/sbin                     -> $(SEC_READONLY) ;
-  /usr/X11R6/bin                -> $(ReadOnly) ;
+  /usr/X11R6/bin                -> $(SEC_READONLY) ;
-  /usr/X11R6/lib                -> $(ReadOnly) ;
+  /usr/X11R6/lib                -> $(SEC_READONLY) ;
 }
  ################################################
 #                                              ##
@ -219,19 +219,19 @@ Temporary     = +pugt ;
  #OKrulename = "Usr Local Files",
 #OK)
 #OK{
-  #OK/usr/local                    -> $(ReadOnly) ;
+  #OK/usr/local                    -> $(SEC_READONLY) ;
-  #OK/usr/local/bin                -> $(ReadOnly) ;
+  #OK/usr/local/bin                -> $(SEC_READONLY) ;
-  #OK/usr/local/doc                -> $(ReadOnly) ;
+  #OK/usr/local/doc                -> $(SEC_READONLY) ;
-  #OK/usr/local/etc                -> $(ReadOnly) ;
+  #OK/usr/local/etc                -> $(SEC_READONLY) ;
-  #OK/usr/local/include            -> $(ReadOnly) ;
+  #OK/usr/local/include            -> $(SEC_READONLY) ;
-  #OK/usr/local/info               -> $(ReadOnly) ;
+  #OK/usr/local/info               -> $(SEC_READONLY) ;
-  #OK/usr/local/lib                -> $(ReadOnly) ;
+  #OK/usr/local/lib                -> $(SEC_READONLY) ;
-  #OK/usr/local/libdata            -> $(ReadOnly) ;
+  #OK/usr/local/libdata            -> $(SEC_READONLY) ;
-  #OK/usr/local/libexec            -> $(ReadOnly) ;
+  #OK/usr/local/libexec            -> $(SEC_READONLY) ;
-  #OK/usr/local/man                -> $(ReadOnly) ;
+  #OK/usr/local/man                -> $(SEC_READONLY) ;
-  #OK/usr/local/sbin               -> $(ReadOnly) ;
+  #OK/usr/local/sbin               -> $(SEC_READONLY) ;
-  #OK/usr/local/share              -> $(ReadOnly) ;
+  #OK/usr/local/share              -> $(SEC_READONLY) ;
-  #OK/usr/local/src                -> $(ReadOnly) ;
+  #OK/usr/local/src                -> $(SEC_READONLY) ;
 #OK}
  ################################################
@ -245,9 +245,9 @@ Temporary     = +pugt ;
  rulename = "Root Directory and Files",
 )
 {
-  /root                          -> $(IgnoreNone) -SHa ;
+  /root                          -> $(SEC_IGNORE_NONE) -SHa ;
-  /root/.cshrc                   -> $(Dynamic) ;
+  /root/.cshrc                   -> $(SEC_DYNAMIC) ;
-  /root/.profile                 -> $(Dynamic) ;
+  /root/.profile                 -> $(SEC_DYNAMIC) ;
 }
  ################################################
@ -261,8 +261,8 @@ Temporary     = +pugt ;
  rulename = "Temporary Directories",
 )
 {
-  /tmp                          -> $(Temporary) ;
+  /tmp                          -> $(SEC_TEMPORARY) ;
-  /var/tmp                      -> $(Temporary) ;
+  /var/tmp                      -> $(SEC_TEMPORARY) ;
 }
  ################################################
@ -276,15 +276,15 @@ Temporary     = +pugt ;
  rulename = "System and Boot Changes",
 )
 {
-  /var/backups                    -> $(Dynamic) -i ;
+  /var/backups                    -> $(SEC_DYNAMIC) -i ;
-  /var/db/host.random             -> $(ReadOnly) -mCM ;
+  /var/db/host.random             -> $(SEC_READONLY) -mCM ;
-  /var/cron                       -> $(Growing) -i ;
+  /var/cron                       -> $(SEC_GROWING) -i ;
-  /var/log                        -> $(Growing) -i ;
+  /var/log                        -> $(SEC_GROWING) -i ;
-  /var/run                        -> $(Dynamic) -i ;
+  /var/run                        -> $(SEC_DYNAMIC) -i ;
-  /var/mail                       -> $(Growing) ;
+  /var/mail                       -> $(SEC_GROWING) ;
-  /var/msgs/bounds                -> $(ReadOnly) -smbCM ;
+  /var/msgs/bounds                -> $(SEC_READONLY) -smbCM ;
-  /var/spool/clientmqueue         -> $(Temporary) ;
+  /var/spool/clientmqueue         -> $(SEC_TEMPORARY) ;
-  /var/spool/mqueue               -> $(Temporary) ;
+  /var/spool/mqueue               -> $(SEC_TEMPORARY) ;
 }
 #
--- a/policy/twpol-SunOS.txt
+++ b/policy/twpol-SunOS.txt
@ -2,7 +2,8 @@
 #                                                                            ##
 ############################################################################## #
 #                                                                            # #
-#                        Policy file for Solaris 8                           # #
+#                      Tripwire 2.4 policy for Solaris                       # #
 #                             updated March 2018                             # #
 #                                                                            ##
 ##############################################################################
@ -61,13 +62,13 @@ HOSTNAME=;
 #
 ##############################################################################
-Device        = +pugsdr-intlbamcCMSH ;
+SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
-Dynamic       = +pinugtd-srlbamcCMSH ;
+SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
-Growing       = +pinugtdl-srbamcCMSH ;
+SEC_GROWING       = +pinugtdl-srbamcCMSH ;
-IgnoreAll     = -pinugtsdrlbamcCMSH ;
+SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
-IgnoreNone    = +pinugtsdrbamcCMSH-l ;
+SEC_IGNORE_NONE   = +pinugtsdrbamcCMSH-l ;
-ReadOnly      = +pinugtsdbmCM-rlacSH ;
+SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
-Temporary     = +pugt ;
+SEC_TEMPORARY     = +pugt ;
@@section FS 
@ -84,10 +85,10 @@ Temporary     = +pugt ;
  rulename = "Tripwire Binaries",
 )
 {
-  $(TWBIN)/siggen                      -> $(ReadOnly) ;
+  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
-  $(TWBIN)/tripwire                    -> $(ReadOnly) ;
+  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
-  $(TWBIN)/twadmin                     -> $(ReadOnly) ;
+  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
-  $(TWBIN)/twprint                     -> $(ReadOnly) ;
+  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -104,14 +105,14 @@ Temporary     = +pugt ;
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
-  $(TWDB)                              -> $(Dynamic) -i ;
+  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
-  $(TWPOL)/tw.pol                      -> $(ReadOnly) -i ;
+  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
-  $(TWPOL)/tw.cfg                      -> $(ReadOnly) -i ;
+  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
-  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(ReadOnly) ;
+  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
-  $(TWSKEY)/site.key                   -> $(ReadOnly) ;
+  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
  # don't scan the individual reports
-  $(TWREPORT)                          -> $(Dynamic) (recurse=0) ;
+  $(TWREPORT)                          -> $(SEC_DYNAMIC) (recurse=0) ;
  # In this configuration /usr/local is a symbolic link to /home/local.
  # We want to ignore the following directories since they are already
@ -132,8 +133,8 @@ Temporary     = +pugt ;
  rulename = "OS Boot and Configuration Files",
 )
 {
-  /etc                          -> $(IgnoreNone) -SHa ;
+  /etc                          -> $(SEC_IGNORE_NONE) -SHa ;
-  /kernel		        -> $(ReadOnly) ;
+  /kernel		        -> $(SEC_READONLY) ;
 }
  ###################################################
@ -147,13 +148,13 @@ Temporary     = +pugt ;
  rulename = "Mount Points",
 )
 {
-  /                             -> $(ReadOnly) ;
+  /                             -> $(SEC_READONLY) ;
-  /cdrom                        -> $(Dynamic) ;
+  /cdrom                        -> $(SEC_DYNAMIC) ;
-  /home                         -> $(ReadOnly) ;
+  /home                         -> $(SEC_READONLY) ;
-  /mnt                          -> $(Dynamic) ;
+  /mnt                          -> $(SEC_DYNAMIC) ;
-  /usr                          -> $(ReadOnly) ;
+  /usr                          -> $(SEC_READONLY) ;
-  /var                          -> $(ReadOnly) ;
+  /var                          -> $(SEC_READONLY) ;
-  /opt                          -> $(ReadOnly) ;
+  /opt                          -> $(SEC_READONLY) ;
 }
  ###################################################
@ -167,7 +168,7 @@ Temporary     = +pugt ;
  rulename = "Misc Top-Level Directories",
 )
 {
-  /lost+found                   -> $(ReadOnly) ;
+  /lost+found                   -> $(SEC_READONLY) ;
 }
  ################################################
@ -181,8 +182,8 @@ Temporary     = +pugt ;
  rulename = "System Devices",
 )
 {
-  /dev                          -> $(Device) ;
+  /dev                          -> $(SEC_DEVICE) ;
-  /devices                      -> $(Device) ;
+  /devices                      -> $(SEC_DEVICE) ;
 }
  ################################################
@ -196,12 +197,12 @@ Temporary     = +pugt ;
  rulename = "OS Binaries and Libraries",
 )
 {
-  /sbin                         -> $(ReadOnly) ;
+  /sbin                         -> $(SEC_READONLY) ;
-  /usr/bin                      -> $(ReadOnly) ;
+  /usr/bin                      -> $(SEC_READONLY) ;
-  /usr/lib                      -> $(ReadOnly) ;
+  /usr/lib                      -> $(SEC_READONLY) ;
-  /usr/sbin                     -> $(ReadOnly) ;
+  /usr/sbin                     -> $(SEC_READONLY) ;
-  /usr/openwin/bin              -> $(ReadOnly) ;
+  /usr/openwin/bin              -> $(SEC_READONLY) ;
-  /usr/openwin/lib              -> $(ReadOnly) ;
+  /usr/openwin/lib              -> $(SEC_READONLY) ;
 }
  ################################################
@ -216,9 +217,9 @@ Temporary     = +pugt ;
 )
 {
  ! /.netscape/cache ; 
-  /.bash_history	         -> $(ReadOnly) -smbCM;
+  /.bash_history	         -> $(SEC_READONLY) -smbCM;
-  /.sh_history                   -> $(Dynamic) ;
+  /.sh_history                   -> $(SEC_DYNAMIC) ;
-  /.Xauthority                   -> $(ReadOnly) ;
+  /.Xauthority                   -> $(SEC_READONLY) ;
 }
  ################################################
@ -232,8 +233,8 @@ Temporary     = +pugt ;
  rulename = "Temporary Directories",
 )
 {
-  /tmp                          -> $(Temporary) ;
+  /tmp                          -> $(SEC_TEMPORARY) ;
-  /var/tmp                      -> $(Temporary) ;
+  /var/tmp                      -> $(SEC_TEMPORARY) ;
 }
  ################################################
@ -295,17 +296,17 @@ Temporary     = +pugt ;
  rulename = "System and Boot Changes",
 )
 {
-  /etc/.pwd.lock		   -> $(ReadOnly) -cm;
+  /etc/.pwd.lock		   -> $(SEC_READONLY) -cm;
-  /etc/coreadm.conf		   -> $(ReadOnly) -cm;
+  /etc/coreadm.conf		   -> $(SEC_READONLY) -cm;
-  /var/adm                         -> $(Growing) -i;
+  /var/adm                         -> $(SEC_GROWING) -i;
-  #/var/backups                    -> $(Dynamic) -i ;
+  #/var/backups                    -> $(SEC_DYNAMIC) -i ;
-  /var/cron/log                    -> $(Growing) -i ;
+  /var/cron/log                    -> $(SEC_GROWING) -i ;
-  #/var/db/host.random             -> $(ReadOnly) -mCM ;
+  #/var/db/host.random             -> $(SEC_READONLY) -mCM ;
-  #/var/db/locate.database         -> $(ReadOnly) -misCM ;
+  #/var/db/locate.database         -> $(SEC_READONLY) -misCM ;
-  /var/log                         -> $(Growing) -i ;
+  /var/log                         -> $(SEC_GROWING) -i ;
-  #/var/run                        -> $(Dynamic) -i ;
+  #/var/run                        -> $(SEC_DYNAMIC) -i ;
-  #/var/mail                       -> $(Growing) ;
+  #/var/mail                       -> $(SEC_GROWING) ;
-  #/var/msgs/bounds                -> $(ReadOnly) -smbCM ;
+  #/var/msgs/bounds                -> $(SEC_READONLY) -smbCM ;
  !/var/sendmail ;
  !/var/spool/clientmqueue ;
  !/var/spool/mqueue ;
--- a/policy/twpol-Syllable.txt
+++ b/policy/twpol-Syllable.txt
@ -0,0 +1,184 @@
 ###############################################################################
 #                                                                            ##
 #    Default Tripwire 2.4 Policy file for Syllable                           ##
 #                                                                            ##
 ###############################################################################
 ###############################################################################
 #                                                                            ##
 # Global Variable Definitions                                                ##
 #                                                                            ##
 # These are defined at install time by the installation script.  You may     ##
 # Manually edit these if you are using this file directly and not from the   ##
 # installation script itself.                                                ##
 #                                                                            ##
 ###############################################################################
@@section GLOBAL
 TWROOT=;
 TWBIN=;
 TWPOL=;
 TWDB=;
 TWSKEY=;
 TWLKEY=;
 TWREPORT=;
 HOSTNAME=;
 ##############################################################################
 #  Predefined Variables                                                      #
 ##############################################################################
 #
 #  Property Masks
 #
 #  -  ignore the following properties
 #  +  check the following properties
 #
 #  a  access timestamp (mutually exclusive with +CMSH)
 #  b  number of blocks allocated
 #  c  inode creation/modification timestamp
 #  d  ID of device on which inode resides
 #  g  group id of owner
 #  i  inode number
 #  l  growing files (logfiles for example)
 #  m  modification timestamp
 #  n  number of links
 #  p  permission and file mode bits
 #  r  ID of device pointed to by inode (valid only for device objects)
 #  s  file size
 #  t  file type
 #  u  user id of owner
 #
 #  C  CRC-32 hash
 #  H  HAVAL hash
 #  M  MD5 hash
 #  S  SHA hash
 #
 ##############################################################################
 SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
 SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
 SEC_GROWING       = +pinugtdl-srbamcCMSH ;
 SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
 SEC_IGNORE_NONE    = +pinugtsdrbamcCMSH-l ;
 SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
 SEC_TEMPORARY       = +pugt ;
@@section FS 
 #########################################
 #                                      ##
 #  Tripwire Binaries and Data Files    ##
 #                                      ##
 #########################################
 # Tripwire Binaries
 (
  rulename = "Tripwire Binaries",
 )
 {
  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
 (
  rulename = "Tripwire Data Files",
 )
 {
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.
  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
  # don't scan the individual reports
  $(TWREPORT)                          -> $(SEC_DYNAMIC) (recurse=0) ;
 }
 ##############################################################################
 ### System dir ###############################################################
 #
 (rulename = "System Directory",)
 {
   /boot/system -> $(SEC_READONLY) -a;
 }
 ### Other bin dirs ############################################################
 #
 (rulename = "Binary Directories",)
 {
  /boot/bin -> $(SEC_READONLY) -a;
  /usr/bin -> $(SEC_READONLY) -a;
  /usr/local/bin -> $(SEC_READONLY) -a;
  /boot/Applications -> $(SEC_READONLY) -a;
  /resources/index/bin -> $(SEC_READONLY) -a;
 }
 (rulename = "Admin Binary Directories",)
 {
  /usr/local/sbin -> $(SEC_READONLY) -a;
  /resources/index/sbin -> $(SEC_READONLY) -a;
  /usr/local/libexec -> $(SEC_READONLY) -a;
  /resources/index/libexec -> $(SEC_READONLY) -a;
 }
 ### Other lib dirs ############################################################
 #
 (rulename = "Library Directories",)
 {
  /usr/local/lib -> $(SEC_READONLY) -a;
  /resources/index/lib -> $(SEC_READONLY) -a;
 }
 ### Other boot dirs ###########################################################
 #
 (rulename = "Boot Directories",)
 {
  /boot/boot/grub -> $(SEC_READONLY) -a;
 }
 ### Settings ##################################################################
 #
 (rulename = "Settings",)
 {
  /boot/etc -> $(SEC_READONLY) -a;
  /usr/local/etc -> $(SEC_READONLY) -a;
 }
 # Logs ########################################################################
 #
 (rulename = "Logs",)
 {
  /var/log -> $(SEC_GROWING) -a;
 }
 # Dev #########################################################################
 #
 (rulename = "Devices",)
 {
  /dev -> $(SEC_DEVICE) -a;
 }
 # Temp dirs #########################
 #
 (rulename = "Temp Directories",)
 {
  /boot/tmp -> $(SEC_TEMPORARY) -a;
 }
--- a/policy/twpol-skyos.txt
+++ b/policy/twpol-skyos.txt
@ -0,0 +1,183 @@
 ###############################################################################
 #                                                                            ##
 #    Default Tripwire 2.4 Policy file for SkyOS                             ##
 #                                                                            ##
 ###############################################################################
 ###############################################################################
 #                                                                            ##
 # Global Variable Definitions                                                ##
 #                                                                            ##
 # These are defined at install time by the installation script.  You may     ##
 # Manually edit these if you are using this file directly and not from the   ##
 # installation script itself.                                                ##
 #                                                                            ##
 ###############################################################################
@@section GLOBAL
 TWROOT=;
 TWBIN=;
 TWPOL=;
 TWDB=;
 TWSKEY=;
 TWLKEY=;
 TWREPORT=;
 HOSTNAME=;
 ##############################################################################
 #  Predefined Variables                                                      #
 ##############################################################################
 #
 #  Property Masks
 #
 #  -  ignore the following properties
 #  +  check the following properties
 #
 #  a  access timestamp (mutually exclusive with +CMSH)
 #  b  number of blocks allocated
 #  c  inode creation/modification timestamp
 #  d  ID of device on which inode resides
 #  g  group id of owner
 #  i  inode number
 #  l  growing files (logfiles for example)
 #  m  modification timestamp
 #  n  number of links
 #  p  permission and file mode bits
 #  r  ID of device pointed to by inode (valid only for device objects)
 #  s  file size
 #  t  file type
 #  u  user id of owner
 #
 #  C  CRC-32 hash
 #  H  HAVAL hash
 #  M  MD5 hash
 #  S  SHA hash
 #
 ##############################################################################
 SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
 SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
 SEC_GROWING       = +pinugtdl-srbamcCMSH ;
 SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
 SEC_IGNORE_NONE    = +pinugtsdrbamcCMSH-l ;
 SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
 SEC_TEMPORARY       = +pugt ;
@@section FS 
 #########################################
 #                                      ##
 #  Tripwire Binaries and Data Files    ##
 #                                      ##
 #########################################
 # Tripwire Binaries
 (
  rulename = "Tripwire Binaries",
 )
 {
  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
 }
 # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
 (
  rulename = "Tripwire Data Files",
 )
 {
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.
  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;
  # don't scan the individual reports
  $(TWREPORT)                          -> $(SEC_DYNAMIC) (recurse=0) ;
 }
 ##############################################################################
 ### System dir ###############################################################
 #
 (rulename = "System Directory",)
 {
  /boot/system -> $(SEC_READONLY) -a;
  /boot/system/registry.rsm -> $(SEC_READONLY) -am; 
 }
 (rulename = "System Files",)
 {
  /boot/kernel.sys -> $(SEC_READONLY) -a;
  /boot/kernel.dbg -> $(SEC_READONLY) -a;
  /boot/init.scr -> $(SEC_READONLY) -a;
  /boot/install.sif -> $(SEC_READONLY) -a;
 }
 ### Other bin dirs ############################################################
 #
 (rulename = "Binary Directories",)
 {
  /boot/programs -> $(SEC_READONLY) -a;
 }
 ### Other lib dirs ############################################################
 #
 (rulename = "Library Directories",)
 {
  /usr/lib -> $(SEC_READONLY) -a;
  /usr/local/lib -> $(SEC_READONLY) -a;
 }
 ### Other boot dirs ###########################################################
 #
 (rulename = "Boot Directories",)
 {
  /boot/boot/grub -> $(SEC_READONLY) -a;
 }
 ### Settings ##################################################################
 #
 (rulename = "Settings",)
 {
  /boot/programs/unix/etc -> $(SEC_READONLY) -a;
  /usr/local/etc -> $(SEC_READONLY) -a;
 }
 # Logs ########################################################################
 #
 (rulename = "Logs",)
 {
  /var/log -> $(SEC_GROWING) -a;
 }
 # Dev #########################################################################
 #
 (rulename = "Devices",)
 {
  /dev -> $(SEC_DEVICE) -a;
  /fifo -> $(SEC_DEVICE) -a;
  /pty -> $(SEC_DEVICE) -as;
  /systeminterface -> $(SEC_DEVICE) -a;
  /umfs -> $(SEC_DEVICE) -a;
 }
 # Temp dirs #########################
 #
 (rulename = "Temp Directories",)
 {
  /boot/temp -> $(SEC_TEMPORARY) -a;
 }
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -8,3 +8,7 @@ install:
 uninstall:
 	true
 clean-local: clean-local-check
 .PHONY: clean-local-check
 clean-local-check:
 	-rm -rf test-harness/twtest
--- a/src/Makefile.in
+++ b/src/Makefile.in
@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
+# Makefile.in generated by automake 1.15.1 from Makefile.am.
 # @configure_input@
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+# Copyright (C) 1994-2017 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -282,7 +282,6 @@ pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
 runstatedir = @runstatedir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
@ -520,7 +519,7 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-recursive
-clean-am: clean-generic mostlyclean-am
+clean-am: clean-generic clean-local mostlyclean-am
 distclean: distclean-recursive
 	-rm -f Makefile
@ -587,16 +586,17 @@ uninstall-am:
 .MAKE: $(am__recursive_targets) install-am install-strip
 .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \
-	check-am clean clean-generic cscopelist-am ctags ctags-am \
+	check-am clean clean-generic clean-local cscopelist-am ctags \
-	distclean distclean-generic distclean-tags distdir dvi dvi-am \
+	ctags-am distclean distclean-generic distclean-tags distdir \
-	html html-am info info-am install install-am install-data \
+	dvi dvi-am html html-am info info-am install install-am \
-	install-data-am install-dvi install-dvi-am install-exec \
+	install-data install-data-am install-dvi install-dvi-am \
-	install-exec-am install-html install-html-am install-info \
+	install-exec install-exec-am install-html install-html-am \
-	install-info-am install-man install-pdf install-pdf-am \
+	install-info install-info-am install-man install-pdf \
-	install-ps install-ps-am install-strip installcheck \
+	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck-am installdirs installdirs-am maintainer-clean \
+	installcheck installcheck-am installdirs installdirs-am \
-	maintainer-clean-generic mostlyclean mostlyclean-generic pdf \
+	maintainer-clean maintainer-clean-generic mostlyclean \
-	pdf-am ps ps-am tags tags-am uninstall uninstall-am
+	mostlyclean-generic pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am
 .PRECIOUS: Makefile
@ -607,6 +607,11 @@ install:
 uninstall:
 	true
 clean-local: clean-local-check
 .PHONY: clean-local-check
 clean-local-check:
 	-rm -rf test-harness/twtest
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
--- a/src/buildnum.h
+++ b/src/buildnum.h
@ -1,2 +1 @@
 #define BUILD_NUM _T("0")
--- a/src/core/Makefile.am
+++ b/src/core/Makefile.am
@ -9,32 +9,33 @@ libcore_a_SOURCES = \
   archive.cpp charutil.cpp		\
   cmdlineparser.cpp codeconvert.cpp core.cpp coreerrors.cpp		\
   corestrings.cpp crc32.cpp debug.cpp displayencoder.cpp		\
-   displayutil.cpp error.cpp errorbucketimpl.cpp errortable.cpp		\
+   displayutil.cpp epoch.cpp error.cpp errorbucketimpl.cpp errortable.cpp \
   errorutil.cpp fileerror.cpp fileheader.cpp fsservices.cpp		\
   growheap.cpp hashtable.cpp haval.cpp msystem.cpp ntmbs.cpp		\
-   objectpool.cpp refcountobj.cpp serializable.cpp serializer.cpp	\
+   refcountobj.cpp serializable.cpp serializer.cpp	\
   serializerimpl.cpp serializerutil.cpp serstring.cpp 			\
   srefcountobj.cpp srefcounttbl.cpp stdcore.cpp stringutil.cpp		\
-   timebomb.cpp timeconvert.cpp tw_signal.cpp twlimits.cpp twlocale.cpp	\
+   timeconvert.cpp tw_signal.cpp twlimits.cpp twlocale.cpp      	\
-   unixexcept.cpp usernotify.cpp usernotifystdout.cpp utf8.cpp		\
+   unixexcept.cpp usernotify.cpp usernotifystdout.cpp		\
   wchar16.cpp
 libcore_a_HEADERS = archive.h charutil.h cmdlineparser.h codeconvert.h       \
   core.h coreerrors.h corestrings.h crc32.h debug.h displayencoder.h        \
-   displayutil.h error.h errorbucket.h errorbucketimpl.h errorgeneral.h      \
+   displayutil.h epoch.h error.h errorbucket.h errorbucketimpl.h errorgeneral.h \
   errortable.h errorutil.h file.h fileerror.h fileheader.h fixedfilebuf.h   \
   fsservices.h growheap.h hashtable.h haval.h md5.h msystem.h ntdbs.h       \
-   ntmbs.h objectpool.h package.h platform.h refcountobj.h resources.h       \
+   ntmbs.h package.h platform.h refcountobj.h resources.h                    \
   serializable.h serializer.h serializerimpl.h serializerutil.h serstring.h \
   sha.h srefcountobj.h srefcounttbl.h stdcore.h stringutil.h tasktimer.h    \
-   tchar.h timebomb.h timeconvert.h tw_signal.h twlimits.h twlocale.h        \
+   tchar.h timeconvert.h tw_signal.h twlimits.h twlocale.h                   \
   twstringslang.h typed.h types.h unixexcept.h unixfsservices.h upperbound.h \
-   usernotify.h usernotifystdout.h utf8.h wchar16.h
+   usernotify.h usernotifystdout.h wchar16.h
 libcore_a_LIBADD = @CORE_CRYPT_O@
 libcore_a_DEPENDENCIES = @CORE_CRYPT_O@
 DEFS = @DEFS@		# This gets rid of the -I. so AM_CPPFLAGS must be more explicit
 CLEANFILES = *.gcno *.gcda
 all: $(noinst_LIBRARIES)
 	$(AR) ru ../../lib/libtripwire.a $(libcore_a_OBJECTS) $(libcore_a_LIBADD)
--- a/src/core/Makefile.in
+++ b/src/core/Makefile.in
@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
+# Makefile.in generated by automake 1.15.1 from Makefile.am.
 # @configure_input@
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+# Copyright (C) 1994-2017 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@ -113,20 +113,19 @@ am_libcore_a_OBJECTS = file_unix.$(OBJEXT) unixfsservices.$(OBJEXT) \
 	archive.$(OBJEXT) charutil.$(OBJEXT) cmdlineparser.$(OBJEXT) \
 	codeconvert.$(OBJEXT) core.$(OBJEXT) coreerrors.$(OBJEXT) \
 	corestrings.$(OBJEXT) crc32.$(OBJEXT) debug.$(OBJEXT) \
-	displayencoder.$(OBJEXT) displayutil.$(OBJEXT) error.$(OBJEXT) \
+	displayencoder.$(OBJEXT) displayutil.$(OBJEXT) epoch.$(OBJEXT) \
-	errorbucketimpl.$(OBJEXT) errortable.$(OBJEXT) \
+	error.$(OBJEXT) errorbucketimpl.$(OBJEXT) errortable.$(OBJEXT) \
 	errorutil.$(OBJEXT) fileerror.$(OBJEXT) fileheader.$(OBJEXT) \
 	fsservices.$(OBJEXT) growheap.$(OBJEXT) hashtable.$(OBJEXT) \
 	haval.$(OBJEXT) msystem.$(OBJEXT) ntmbs.$(OBJEXT) \
-	objectpool.$(OBJEXT) refcountobj.$(OBJEXT) \
+	refcountobj.$(OBJEXT) serializable.$(OBJEXT) \
-	serializable.$(OBJEXT) serializer.$(OBJEXT) \
+	serializer.$(OBJEXT) serializerimpl.$(OBJEXT) \
-	serializerimpl.$(OBJEXT) serializerutil.$(OBJEXT) \
+	serializerutil.$(OBJEXT) serstring.$(OBJEXT) \
-	serstring.$(OBJEXT) srefcountobj.$(OBJEXT) \
+	srefcountobj.$(OBJEXT) srefcounttbl.$(OBJEXT) \
-	srefcounttbl.$(OBJEXT) stdcore.$(OBJEXT) stringutil.$(OBJEXT) \
+	stdcore.$(OBJEXT) stringutil.$(OBJEXT) timeconvert.$(OBJEXT) \
-	timebomb.$(OBJEXT) timeconvert.$(OBJEXT) tw_signal.$(OBJEXT) \
+	tw_signal.$(OBJEXT) twlimits.$(OBJEXT) twlocale.$(OBJEXT) \
-	twlimits.$(OBJEXT) twlocale.$(OBJEXT) unixexcept.$(OBJEXT) \
+	unixexcept.$(OBJEXT) usernotify.$(OBJEXT) \
-	usernotify.$(OBJEXT) usernotifystdout.$(OBJEXT) utf8.$(OBJEXT) \
+	usernotifystdout.$(OBJEXT) wchar16.$(OBJEXT)
 	wchar16.$(OBJEXT)
 libcore_a_OBJECTS = $(am_libcore_a_OBJECTS)
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
@ -314,7 +313,6 @@ pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
 runstatedir = @runstatedir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
@ -336,30 +334,31 @@ libcore_a_SOURCES = \
   archive.cpp charutil.cpp		\
   cmdlineparser.cpp codeconvert.cpp core.cpp coreerrors.cpp		\
   corestrings.cpp crc32.cpp debug.cpp displayencoder.cpp		\
-   displayutil.cpp error.cpp errorbucketimpl.cpp errortable.cpp		\
+   displayutil.cpp epoch.cpp error.cpp errorbucketimpl.cpp errortable.cpp \
   errorutil.cpp fileerror.cpp fileheader.cpp fsservices.cpp		\
   growheap.cpp hashtable.cpp haval.cpp msystem.cpp ntmbs.cpp		\
-   objectpool.cpp refcountobj.cpp serializable.cpp serializer.cpp	\
+   refcountobj.cpp serializable.cpp serializer.cpp	\
   serializerimpl.cpp serializerutil.cpp serstring.cpp 			\
   srefcountobj.cpp srefcounttbl.cpp stdcore.cpp stringutil.cpp		\
-   timebomb.cpp timeconvert.cpp tw_signal.cpp twlimits.cpp twlocale.cpp	\
+   timeconvert.cpp tw_signal.cpp twlimits.cpp twlocale.cpp      	\
-   unixexcept.cpp usernotify.cpp usernotifystdout.cpp utf8.cpp		\
+   unixexcept.cpp usernotify.cpp usernotifystdout.cpp		\
   wchar16.cpp
 libcore_a_HEADERS = archive.h charutil.h cmdlineparser.h codeconvert.h       \
   core.h coreerrors.h corestrings.h crc32.h debug.h displayencoder.h        \
-   displayutil.h error.h errorbucket.h errorbucketimpl.h errorgeneral.h      \
+   displayutil.h epoch.h error.h errorbucket.h errorbucketimpl.h errorgeneral.h \
   errortable.h errorutil.h file.h fileerror.h fileheader.h fixedfilebuf.h   \
   fsservices.h growheap.h hashtable.h haval.h md5.h msystem.h ntdbs.h       \
-   ntmbs.h objectpool.h package.h platform.h refcountobj.h resources.h       \
+   ntmbs.h package.h platform.h refcountobj.h resources.h                    \
   serializable.h serializer.h serializerimpl.h serializerutil.h serstring.h \
   sha.h srefcountobj.h srefcounttbl.h stdcore.h stringutil.h tasktimer.h    \
-   tchar.h timebomb.h timeconvert.h tw_signal.h twlimits.h twlocale.h        \
+   tchar.h timeconvert.h tw_signal.h twlimits.h twlocale.h                   \
   twstringslang.h typed.h types.h unixexcept.h unixfsservices.h upperbound.h \
-   usernotify.h usernotifystdout.h utf8.h wchar16.h
+   usernotify.h usernotifystdout.h wchar16.h
 libcore_a_LIBADD = @CORE_CRYPT_O@
 libcore_a_DEPENDENCIES = @CORE_CRYPT_O@
 CLEANFILES = *.gcno *.gcda
 all: all-am
 .SUFFIXES:
@ -546,6 +545,7 @@ install-strip:
 mostlyclean-generic:
 clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
--- a/src/core/archive.cpp
+++ b/src/core/archive.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -51,28 +51,6 @@
 #include "corestrings.h" // for: STR_ERR2_ARCH_CRYPTO_ERR
 //=============================================================================
 // Utility Functions
 //=============================================================================
 ///////////////////////////////////////////////////////////////////////////////
 // util_IsDir -- returns true if a given file is a directory
 ///////////////////////////////////////////////////////////////////////////////
 bool util_IsDir( const TSTRING& fileName )
 {
    cFSStatArgs s;
    try
    {
        iFSServices::GetInstance()->Stat( fileName, s );        
    }
    catch( eFSServices )
    {
        return false;
    }
    return( s.mFileType == cFSStatArgs::TY_DIR );
 }
 //=============================================================================
 // eArchiveCrypto
 //=============================================================================
@ -222,7 +200,10 @@ int32 cArchive::GetStorageSize(const TSTRING& str)
 int64 cArchive::Copy(cArchive* pFrom, int64 amt)
 {
-    enum { BUF_SIZE = 2048 };
+    enum
    {
        BUF_SIZE = 2048
    };
    int8  buf[BUF_SIZE];
    int64 amtLeft = amt;
@ -310,8 +291,7 @@ void cMemMappedArchive::SetNewMap(void* pMap, int64 offset, int64 length) const
 //      mapped.
 ///////////////////////////////////////////////////////////////////////////////
-cMemoryArchive::cMemoryArchive(int maxSize)
+cMemoryArchive::cMemoryArchive(int maxSize) : mMaxAllocatedLen(maxSize)
 :   mMaxAllocatedLen(maxSize)
 {
    ASSERT(maxSize > 0);
    mpMemory      = 0;
@ -343,11 +323,13 @@ void cMemoryArchive::Seek(int64 offset, SeekFrom from) // throw(eArchive)
        offset = mLogicalSize + (int)offset;
        break;
    default:
-        ThrowAndAssert(eArchiveSeek(TSS_GetString( cCore, core::STR_MEMARCHIVE_FILENAME), TSS_GetString( cCore, core::STR_MEMARCHIVE_ERRSTR)));
+        ThrowAndAssert(eArchiveSeek(TSS_GetString(cCore, core::STR_MEMARCHIVE_FILENAME),
                                    TSS_GetString(cCore, core::STR_MEMARCHIVE_ERRSTR)));
    }
    if (offset > mLogicalSize)
-        ThrowAndAssert(eArchiveSeek(TSS_GetString( cCore, core::STR_MEMARCHIVE_FILENAME), TSS_GetString( cCore, core::STR_MEMARCHIVE_ERRSTR)));
+        ThrowAndAssert(eArchiveSeek(TSS_GetString(cCore, core::STR_MEMARCHIVE_FILENAME),
                                    TSS_GetString(cCore, core::STR_MEMARCHIVE_ERRSTR)));
    mReadHead = static_cast<int>(offset);
 }
@ -421,7 +403,7 @@ void cMemoryArchive::AllocateMemory(int len) // throw(eArchive)
    {
        // grow the buffer
        // only error if we are in debug mode
-#ifdef _DEBUG
+#ifdef DEBUG
        if (len > mMaxAllocatedLen)
            ThrowAndAssert(eArchiveOutOfMem());
 #endif
@ -486,17 +468,11 @@ public:
 //-----------------------------------------------------------------------------
 // cFixedMemArchive
 //-----------------------------------------------------------------------------
-cFixedMemArchive::cFixedMemArchive()
+cFixedMemArchive::cFixedMemArchive() : mpMemory(0), mSize(0), mReadHead(0)
 :   mpMemory    (0),
    mSize       (0),
    mReadHead   (0)
 {
 }
-cFixedMemArchive::cFixedMemArchive( int8* pMem, int32 size )
+cFixedMemArchive::cFixedMemArchive(int8* pMem, int32 size) : mpMemory(0), mSize(0), mReadHead(0)
 :   mpMemory    (0),
    mSize       (0),
    mReadHead   (0)
 {
    Attach(pMem, size);
 }
@ -525,11 +501,13 @@ void cFixedMemArchive::Seek(int64 offset, SeekFrom from)  // throw(eArchive)
        offset = mSize + (int)offset;
        break;
    default:
-        ThrowAndAssert(eArchiveSeek(TSS_GetString( cCore, core::STR_MEMARCHIVE_FILENAME), TSS_GetString( cCore, core::STR_MEMARCHIVE_ERRSTR)));
+        ThrowAndAssert(eArchiveSeek(TSS_GetString(cCore, core::STR_MEMARCHIVE_FILENAME),
                                    TSS_GetString(cCore, core::STR_MEMARCHIVE_ERRSTR)));
    }
    if (offset > mSize)
-        ThrowAndAssert(eArchiveSeek(TSS_GetString( cCore, core::STR_MEMARCHIVE_FILENAME), TSS_GetString( cCore, core::STR_MEMARCHIVE_ERRSTR)));
+        ThrowAndAssert(eArchiveSeek(TSS_GetString(cCore, core::STR_MEMARCHIVE_FILENAME),
                                    TSS_GetString(cCore, core::STR_MEMARCHIVE_ERRSTR)));
    mReadHead = static_cast<int32>(offset);
 }
@ -588,11 +566,9 @@ int cFixedMemArchive::Write(const void* pDest, int count)   // throw(eArchive)
 ///////////////////////////////////////////////////////////////////////////////
 //Ctor -- Initialize member variables to 0 or NULL equivalents.
-cFileArchive::cFileArchive() :
+cFileArchive::cFileArchive() : mFileSize(0), mReadHead(0), isWritable(false)
-    mFileSize(0),
+{
-    mReadHead(0),
+}
    isWritable(false)
 {}
 cFileArchive::~cFileArchive()
 {
@ -756,13 +732,13 @@ int cFileArchive::Read(void* pDest, int count)
        if (pDest != NULL)
        {
-            int nbRead = 
+            int nbRead = static_cast<int>(mCurrentFile.Read(pDest, count));
                static_cast<int>( mCurrentFile.Read( pDest, count ) );
            // 'count' may not be equal to 'nbRead' if the file is open in
            // text mode.
            count = nbRead;
-            if(count < 0) count = 0;
+            if (count < 0)
                count = 0;
        }
        else
        {
@ -787,7 +763,6 @@ int cFileArchive::Read(void* pDest, int count)
    {
        throw(eArchiveRead(mCurrentFilename, fileError.GetDescription()));
    }
 }
 /////////////////////////////////////////////////////////////////////////
@ -815,7 +790,7 @@ int cFileArchive::Write(const void* pDest, int count) // throw(eArchive)
        // increase the size, if needed
        if (mReadHead > mFileSize)
        {
-            #if 0 // IS_SUNPRO
+#if 0 // IS_SUNPRO \
      // These two lines seem to be all there is between code that crashes and code that works for sunpro
            cDebug d("cFileArchive::Write()");
            d.TraceDebug(_T("file(%s) adjusted mFileSize = %d mReadHead = %d\n"), mCurrentFilename.c_str(), (int)mFileSize, (int)mReadHead);
@ -854,7 +829,6 @@ void cFileArchive::Truncate() // throw(eArchive)
 }
 /////////////////////////////////////////////////////////////////////////
 // OpenReadWrite -- Opens the file to be read or written to
 //
@ -864,7 +838,8 @@ void cLockedTemporaryFileArchive::OpenReadWrite( const TCHAR* filename, uint32 o
 {
    TSTRING strTempFile;
-  try {
+    try
    {
        ASSERT(!mCurrentFile.IsOpen()); // shouldn't be able to create a new file when we're already open
        if (mCurrentFile.IsOpen())
@ -913,7 +888,8 @@ void cLockedTemporaryFileArchive::OpenReadWrite( const TCHAR* filename, uint32 o
 #endif
    } //try
-  catch (eFile& fileError) {
+    catch (eFile& fileError)
    {
        TSTRING      errStr = TSS_GetString(cCore, core::STR_BAD_TEMPDIRECTORY);
        eArchiveOpen e(strTempFile, errStr);
        throw e;
@ -929,4 +905,3 @@ void cLockedTemporaryFileArchive::Close()
    // Note: this deletes the file as well
    cFileArchive::Close();
 }
--- a/src/core/archive.h
+++ b/src/core/archive.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -85,7 +85,9 @@ TSS_EXCEPTION( eArchiveStringTooLong, eArchive );
 class cArchive
 {
 public:
-    virtual ~cArchive() {}
+    virtual ~cArchive()
    {
    }
    // convenience methods
    //
@ -137,7 +139,8 @@ protected:
 class cBidirArchive : public cArchive
 {
 public:
-    enum SeekFrom {
+    enum SeekFrom
    {
        BEGINNING = 0,
        CURRENT   = 1,
        END       = -1
@ -155,7 +158,8 @@ public:
 class cMemMappedArchive : public cBidirArchive
 {
 public:
-    enum {
+    enum
    {
        MAP_TO_EOF = -1
    };
@ -202,7 +206,10 @@ public:
    void Truncate(); // set the length to the current pos
-            int8*   GetMemory() const { return mpMemory; }
+    int8* GetMemory() const
    {
        return mpMemory;
    }
 protected:
    int8* mpMemory;
@ -238,6 +245,7 @@ public:
    virtual int64 CurrentPos() const;
    virtual int64 Length() const;
    virtual bool  EndOfFile();
 protected:
    //-----------------------------------
    // cArchive interface
@ -320,32 +328,12 @@ public:
 private:
    // open for read only makes no sense if we're always creating the file,
    // so disallow read only file opens
-    virtual void    OpenRead( const TCHAR*, uint32 openFlags = 0 ) { ASSERT( false ); THROW_INTERNAL("archive.h"); }
+    virtual void OpenRead(const TCHAR*, uint32 openFlags = 0)
 };
 /* 
 // TODO: fill these out
 ///////////////////////////////////////////////////////////////////////////////
 // class cMMFileArchive --
 ///////////////////////////////////////////////////////////////////////////////
 class cMMFileArchive : public cMemMappedArchive
    {
-public:
+        ASSERT(false);
        THROW_INTERNAL("archive.h");
    }
 };
 ///////////////////////////////////////////////////////////////////////////////
 // class cNetArchive --
 ///////////////////////////////////////////////////////////////////////////////
 class cNetArchive : public cArchive
 {
 public:
 };
 */
 #endif
--- a/src/core/charutil.cpp
+++ b/src/core/charutil.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -149,5 +149,3 @@ bool cCharUtil::PopNextChar(    TSTRING::const_iterator& cur,
    return f;
 }
 // eof: charutil.cpp
--- a/src/core/charutil.h
+++ b/src/core/charutil.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -44,8 +44,6 @@
 class cCharUtil
 {
 public:
    // finds the next whole character in string identified by ['cur'-'end')
    // identifies beginning of char in 'first', then end of character in 'last'
    // returns 'are there more characters in string?'
@ -63,4 +61,3 @@ public:
 };
 #endif //__CHARUTIL_H
--- a/src/core/cmdlineparser.cpp
+++ b/src/core/cmdlineparser.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -38,9 +38,7 @@
 ///////////////////////////////////////////////////////////////////////////////
 // ctor, dotr
 ///////////////////////////////////////////////////////////////////////////////
-cCmdLineParser::cCmdLineParser() :
+cCmdLineParser::cCmdLineParser() : mArgTable(HASH_VERY_SMALL), mLastArgInfo(-1, PARAM_NONE)
    mArgTable(HASH_VERY_SMALL),
    mLastArgInfo(-1, PARAM_NONE)
 {
 }
@ -51,7 +49,8 @@ cCmdLineParser::~cCmdLineParser()
 ///////////////////////////////////////////////////////////////////////////////
 // AddArg
 ///////////////////////////////////////////////////////////////////////////////
-void cCmdLineParser::AddArg(int argId, const TSTRING& arg, const TSTRING& alias, ParamCount numParams, bool multipleAllowed)
+void cCmdLineParser::AddArg(
    int argId, const TSTRING& arg, const TSTRING& alias, ParamCount numParams, bool multipleAllowed)
 {
    if (arg.empty() && alias.empty())
    {
@ -78,14 +77,14 @@ void cCmdLineParser::AddArg(int argId, const TSTRING& arg, const TSTRING& alias,
 ///////////////////////////////////////////////////////////////////////////////
 // Clear
 ///////////////////////////////////////////////////////////////////////////////
-void cCmdLineParser::Clear()
+/*void cCmdLineParser::Clear()
 {
    mLastArgInfo.mId        = -1;
    mLastArgInfo.mNumParams = PARAM_INVALID;
    mArgTable.Clear();
    mArgData.clear();
    mMutExList.clear();
-}
+}*/
 ///////////////////////////////////////////////////////////////////////////////
 // Parse
@ -110,9 +109,7 @@ void cCmdLineParser::Parse(int argc, const TCHAR *const * argv)
            if (!mArgTable.Lookup(TSTRING(&argv[i][1]), argInfo))
            {
                // unknown switch!
-                throw eCmdLineInvalidArg( 
+                throw eCmdLineInvalidArg(TSS_GetString(cCore, core::STR_ERR2_BAD_ARG_PARAMS) + pCurArg);
                    TSS_GetString( cCore, core::STR_ERR2_BAD_ARG_PARAMS ) 
                        + pCurArg );
            }
            //
            // make sure this hasn't been specified yet...
@ -124,9 +121,7 @@ void cCmdLineParser::Parse(int argc, const TCHAR *const * argv)
                if (it == mMultipleAllowed.end())
                {
                    // It wasn't in our list of allowed params, so error.
-                    throw eCmdLineMultiArg(
+                    throw eCmdLineMultiArg(TSS_GetString(cCore, core::STR_ERR2_BAD_ARG_PARAMS) + argv[i]);
                        TSS_GetString( cCore, core::STR_ERR2_BAD_ARG_PARAMS ) 
                            + argv[i] );
                }
            }
            //
@ -149,9 +144,7 @@ void cCmdLineParser::Parse(int argc, const TCHAR *const * argv)
                        if (argv[j][0] == _T('-'))
                        {
                            // >0 parameter passed !
-                            throw eCmdLineBadParam(
+                            throw eCmdLineBadParam(TSS_GetString(cCore, core::STR_ERR2_BAD_ARG_PARAMS) + pCurArg);
                                TSS_GetString( cCore, core::STR_ERR2_BAD_ARG_PARAMS )
                                    + pCurArg );
                        }
                    }
                }
@ -163,9 +156,7 @@ void cCmdLineParser::Parse(int argc, const TCHAR *const * argv)
                if ((i >= argc) || (argv[i][0] == _T('-')))
                {
                    // zero parameters passed to something that needed one param
-                    throw eCmdLineBadParam(
+                    throw eCmdLineBadParam(TSS_GetString(cCore, core::STR_ERR2_BAD_ARG_PARAMS) + pCurArg);
                        TSS_GetString( cCore, core::STR_ERR2_BAD_ARG_PARAMS )
                            + pCurArg );
                }
                curArg.mParams.push_back(TSTRING(argv[i]));
@ -207,7 +198,6 @@ void cCmdLineParser::Parse(int argc, const TCHAR *const * argv)
                break;
            default:
                ASSERT(false);
            }
            if (!bResult)
            {
@ -224,16 +214,12 @@ void cCmdLineParser::Parse(int argc, const TCHAR *const * argv)
                {
                    if (!pCurArg)
                    {
-                        throw eCmdLineBadSwitchPos(
+                        throw eCmdLineBadSwitchPos(TSS_GetString(cCore, core::STR_ERR2_BAD_ARG_PARAMS) + argv[i]);
                            TSS_GetString( cCore, core::STR_ERR2_BAD_ARG_PARAMS )
                                + argv[i] );
                    }
                    else
                    {
                        // there was an extra parameter passed somewhere!
-                        throw eCmdLineBadArgParam(
+                        throw eCmdLineBadArgParam(TSS_GetString(cCore, core::STR_ERR2_BAD_ARG_PARAMS) + pCurArg);
                            TSS_GetString( cCore, core::STR_ERR2_BAD_ARG_PARAMS )
                                + pCurArg );
                    }
                }
@ -241,10 +227,7 @@ void cCmdLineParser::Parse(int argc, const TCHAR *const * argv)
                curArg.mParams.push_back(TSTRING(argv[i]));
                i++;
            }
        }
    }
    // it is possible not to process the final command line parameters in the "else" case above
@ -283,14 +266,10 @@ void cCmdLineParser::TestMutEx()
            if (!iter2.Done())
            {
                // we have a mutual exclusion violation!
-                throw eCmdLineMutEx( 
+                throw eCmdLineMutEx(iter1.ActualParam() + _T(", ") + iter2.ActualParam());
                    iter1.ActualParam() 
                        + _T(", ")
                        + iter2.ActualParam() );
            }
        }
    }
 }
 ///////////////////////////////////////////////////////////////////////////////
@ -378,7 +357,7 @@ void cCmdLineParser::AddDependency(int argId1, int argId2, bool mutual )
 ///////////////////////////////////////////////////////////////////////////////
 // TraceContents
 ///////////////////////////////////////////////////////////////////////////////
-#ifdef _DEBUG
+#ifdef DEBUG
 void cCmdLineParser::TraceContents(int dl)
 {
    cDebug d("cCmdLineParser::TraceContents");
@ -467,6 +446,4 @@ bool    cCmdLineIter::SeekToArg(int argId) const
    }
    return false;
 }
--- a/src/core/cmdlineparser.h
+++ b/src/core/cmdlineparser.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -52,7 +52,8 @@
 TSS_EXCEPTION(eCmdLine, eError)
 TSS_EXCEPTION(eCmdLineInvalidArg, eCmdLine)  // an arg on the command line is not recognized
 TSS_EXCEPTION(eCmdLineBadArgParam, eCmdLine) // wrong number of parameters to an argument
-TSS_EXCEPTION( eCmdLineBadParam,    eCmdLine ) // wrong number of paramters to the executable (not associated with any arguments)
+TSS_EXCEPTION(eCmdLineBadParam,
              eCmdLine) // wrong number of paramters to the executable (not associated with any arguments)
 TSS_EXCEPTION(eCmdLineBadSwitchPos, eCmdLine) // a '-' arg appeared after the final parameter list
 TSS_EXCEPTION(eCmdLineMutEx, eCmdLine)        // a mutual exclusion error has occured
 TSS_EXCEPTION(eCmdLineDependency, eCmdLine)   // a dependency error has occurred.
@ -102,7 +103,8 @@ public:
        PARAM_INVALID // top of enum
    };
-    void AddArg(int argId, const TSTRING& arg, const TSTRING& alias, ParamCount numParams, bool multipleAllowed = false);
+    void
    AddArg(int argId, const TSTRING& arg, const TSTRING& alias, ParamCount numParams, bool multipleAllowed = false);
    // this method should be called for each argument that can appear on the
    // command line.
    // argId -- a number that uniquely identifies the argument; no two arguments
@ -132,14 +134,14 @@ public:
        // the input was invalid in some way; the actual error can be determined by calling
        // GetErrorInfo() below.
-    void Clear();
+    //    void Clear();
    // clear out all information that this class contains
    bool LookupArgInfo(int argId, TSTRING& arg, TSTRING& alias) const;
    // given an argId, fill out the strings with the argument and alias strings. Returns false
    // if the argId cannot be found. This method is not very fast, so don't use it often.
-    #ifdef _DEBUG
+#ifdef DEBUG
    void TraceContents(int dl = -1);
 #endif
 private:
@ -158,7 +160,9 @@ private:
        int        mId;
        ParamCount mNumParams;
-        cArgInfo(int i = -1, ParamCount p = PARAM_INVALID) : mId(i), mNumParams(p) {}
+        cArgInfo(int i = -1, ParamCount p = PARAM_INVALID) : mId(i), mNumParams(p)
        {
        }
    };
    // for storing parsed argv information
    struct cArgData
@ -167,11 +171,14 @@ private:
        std::vector<TSTRING> mParams;
        TSTRING              mActualParam; // a string representation of what was actually on the command line
-        cArgData(int id = -1, const TSTRING& actualParam = TSTRING(_T(""))) : mId(id), mActualParam(actualParam) {}
+        cArgData(int id = -1, const TSTRING& actualParam = TSTRING(_T(""))) : mId(id), mActualParam(actualParam)
        {
        }
    };
    cHashTable<TSTRING, cArgInfo> mArgTable;
-    cArgInfo                        mLastArgInfo;   // info on the argument that comes at the end of the command line (with no associated '-x' or '--x')
+    cArgInfo
                                                     mLastArgInfo; // info on the argument that comes at the end of the command line (with no associated '-x' or '--x')
    std::list<cArgData>                              mArgData;
    std::list<std::pair<int, int> >                  mMutExList;      // all of the mutual exclusions
    std::list<std::pair<std::pair<int, int>, bool> > mDependencyList; // all of the dependencies
@ -218,8 +225,7 @@ private:
 //#############################################################################
 // inline implementation
 //#############################################################################
-inline cCmdLineIter::cCmdLineIter(const cCmdLineParser& parser) :
+inline cCmdLineIter::cCmdLineIter(const cCmdLineParser& parser) : mList(parser.mArgData)
    mList(parser.mArgData)
 {
    SeekBegin();
 }
@ -264,4 +270,3 @@ inline const TSTRING& cCmdLineIter::ParamAt(int index)  const
 #endif
--- a/src/core/codeconvert.cpp
+++ b/src/core/codeconvert.cpp
@ -1,6 +1,6 @@
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -111,6 +111,12 @@ iCodeConverter* iCodeConverter::GetInstance()
    return m_pInst;
 }
 void iCodeConverter::Finit()
 {
    delete m_pInst;
    m_pInst = 0;
 }
 iCodeConverter* iCodeConverter::CreateConverter()
 {
    cDebug d("iCodeConverter::CreateConverter()");
@ -199,7 +205,8 @@ namespace /*Unique*/
        d.TraceDebug("ENOMEM: Insufficient storage space is available.\n");
        break;
    case EINVAL:
-            d.TraceDebug( "EINVAL: The  conversion  specified  by  fromcode  and tocode  is  not  supported by the implementation.\n" );    
+        d.TraceDebug("EINVAL: The  conversion  specified  by  fromcode  and tocode  is  not  supported by the "
                     "implementation.\n");
        break;
    default:
        d.TraceDebug("UNKNOWN: Unknown error.\n");
@ -215,48 +222,34 @@ namespace /*Unique*/
    //  [EINVAL] Input conversion stopped due to an incomplete character
    //  [EBADF]  The cd argument is not a valid open conversion descriptor.
    //                 errno
-        d.TraceDebug( 
+    d.TraceDebug(_T( "iconv failed with: %s\n" ), iFSServices::GetInstance()->GetErrString().c_str());
             _T( "iconv failed with: %s\n" ),
             iFSServices::GetInstance()->GetErrString().c_str() );
    /// RAD: Always throw on error (Let user Catch if they want to go on)
    switch (errno)
    {
    case EILSEQ:
    case EINVAL:
-                throw 
+        throw eConverterFatal(TSS_GetString(cCore, core::STR_ERR_BADCHAR));
                    eConverterFatal ( 
                        TSS_GetString( cCore, core::STR_ERR_BADCHAR ) );
        break;
    case E2BIG:
-                throw 
+        throw eConverterFatal(TSS_GetString(cCore, core::STR_ERR_OVERFLOW));
                    eConverterFatal(
                        TSS_GetString(cCore, core::STR_ERR_OVERFLOW ) );
        break;
    case EBADF:
-                throw 
+        throw eConverterUnknownCodepage(TSS_GetString(cCore, core::STR_UNKNOWN));
                    eConverterUnknownCodepage(
                        TSS_GetString( cCore, core::STR_UNKNOWN ) );
        break;
    default:
-                throw 
+        throw eConverterFatal(TSS_GetString(cCore, core::STR_UNKNOWN));
                    eConverterFatal(
                        TSS_GetString( cCore, core::STR_UNKNOWN ) );
    }
    return -1;
 }
-    template< class BufferT, class SourceT >
+template<class BufferT, class SourceT> class ByteConvert
    class ByteConvert
 {
 public:
-
+    bool Convert(BufferT** ppBuf, size_t* pnBufferLeft, const SourceT** ppSrc, size_t* pnSourceLeft)
            bool
            Convert( BufferT** ppBuf, size_t* pnBufferLeft,
               const SourceT** ppSrc, size_t* pnSourceLeft )
    {
        cDebug d("ByteConvert::Convert< BufferT, SourceT >()");
@ -279,21 +272,21 @@ namespace /*Unique*/
 class UTF8_Util
 {
 public:
-            enum { INVALID_VALUE = 0xFF };
+    enum
    {
        INVALID_VALUE = 0xFF
    };
 };
 // convert to INVALID_VALUE and remember the byte value
-    template< class BufferT, class SourceT >
+template<class BufferT, class SourceT> class ToUTF8Convert
    class ToUTF8Convert
 {
 public:
    ToUTF8Convert(std::list<byte>& lb) : m_lb(lb)
    {
    }
-            ToUTF8Convert( std::list<byte>& lb )
+    bool Convert(mbchar_t** ppBuf, size_t* pnBufferLeft, const dbchar_t** ppSrc, size_t* pnSourceLeft)
                : m_lb( lb ) {}
            bool
            Convert( mbchar_t** ppBuf, size_t* pnBufferLeft,
               const dbchar_t** ppSrc, size_t* pnSourceLeft )
    {
        cDebug d("ToUTF8Convert::Convert< mbchar_t, dbchar_t >()");
@ -314,9 +307,7 @@ namespace /*Unique*/
        return true;
    }
-            bool
+    bool Convert(mbchar_t** ppBuf, size_t* pnBufferLeft, const mbchar_t** ppSrc, size_t* pnSourceLeft)
            Convert( mbchar_t** ppBuf, size_t* pnBufferLeft,
               const mbchar_t** ppSrc, size_t* pnSourceLeft )
    {
        cDebug d("ToUTF8Convert::Convert< char, char >()");
@ -338,23 +329,19 @@ namespace /*Unique*/
    }
 private:
    // TODO:Get rid of this guy and just use a vector<BufferT*,BufferT> and
    // insert them when finished with second step
    std::list<byte>& m_lb;
 };
-    template< class BufferT, class SourceT >
+template<class BufferT, class SourceT> class FromUTF8Convert
    class FromUTF8Convert
 {
 public:
    FromUTF8Convert(std::list<byte>& lb) : m_lb(lb)
    {
    }
-            FromUTF8Convert( std::list<byte>& lb )
+    bool Convert(dbchar_t** ppBuf, size_t* pnBufferLeft, const mbchar_t** ppSrc, size_t* pnSourceLeft)
                : m_lb( lb ) {}
            bool
            Convert( dbchar_t** ppBuf, size_t* pnBufferLeft,
               const mbchar_t** ppSrc, size_t* pnSourceLeft )
    {
        cDebug d("FromUTF8Convert::Convert< dbchar_t, mbchar_t >()");
@ -389,9 +376,7 @@ namespace /*Unique*/
    // Converts a UTF-8 value to corresponding UCS2 char (in the private
    // use range) whose value is 0xE000 < x < 0xE0FF in UCS2.
    // Must be of the form 11101110 100000xx 10xxxxxx
-            bool
+    bool Convert(mbchar_t** ppBuf, size_t* pnBufferLeft, const mbchar_t** ppSrc, size_t* pnSourceLeft)
            Convert( mbchar_t** ppBuf, size_t* pnBufferLeft,
               const mbchar_t** ppSrc, size_t* pnSourceLeft )
    {
        cDebug d("FromUTF8Convert::Convert< mbchar_t, mbchar_t >()");
        /*
@ -480,23 +465,19 @@ namespace /*Unique*/
    }
 private:
    // TODO:Get rid of this guy and just use a vector<BufferT*,BufferT> and
    // insert them when finished with second step
    std::list<byte>& m_lb;
 };
-    bool
+bool tss_ReverseConvert(iconv_t revConv, const char* pConvertedFrom, size_t nFrom, char* pConvertedTo, size_t nTo)
    tss_ReverseConvert(    iconv_t  revConv,
                     const char*    pConvertedFrom, size_t nFrom,
                           char*    pConvertedTo,   size_t nTo )
 {
    cDebug d("tss_ReverseConvert< B, S, C >()");
    d.TraceDebug("Converted from: %s\n", util_output_bytes((void*)pConvertedFrom, nFrom).c_str());
    d.TraceDebug("Converted to: %s\n", util_output_bytes((void*)pConvertedTo, nTo).c_str());
    char aBuffer[MB_LEN_MAX];
-#ifdef _DEBUG
+#    ifdef DEBUG
    for (size_t foo = 0; foo < sizeof(aBuffer); foo++)
        aBuffer[foo] = 0xCD;
 #    endif
@ -532,26 +513,27 @@ namespace /*Unique*/
    return true;
 }
-    template< class CharT >
+template<class CharT> bool tss_IsFlaggedCharacter(CharT ch)
    bool tss_IsFlaggedCharacter( CharT ch )
 {
    return false;
 }
-    template<>
+template<> bool tss_IsFlaggedCharacter<dbchar_t>(dbchar_t wch)
    bool tss_IsFlaggedCharacter< dbchar_t >( dbchar_t wch )
 {
    return cConvertUtil::ValueInReservedRange(wch);
 }
 template<class BufferT, class SourceT>
-    int
+int tss_ConvertOneCharacter(iconv_t      convForward,
    tss_ConvertOneCharacter(   iconv_t convForward, 
                            iconv_t      convReverse,
-                         const char**  ppSource, size_t* pnSourceLeft,
+                            const char** ppSource,
-                               char**  ppBuffer, size_t* pnBufferLeft
+                            size_t*      pnSourceLeft,
                            char**       ppBuffer,
                            size_t*      pnBufferLeft
 #    if (!SUPPORTS_EXPLICIT_TEMPLATE_FUNC_INST)
-                               , BufferT /*dummy*/, SourceT /*dummy*/ 
+                            ,
                            BufferT /*dummy*/,
                            SourceT /*dummy*/
 #    endif
 )
 {
@ -570,9 +552,7 @@ namespace /*Unique*/
    //-- Try to find the number of items needed to get a complete character
    size_t nSrcTry;
-        for( nSrcTry = sizeof( SourceT ); 
+    for (nSrcTry = sizeof(SourceT); nSrcTry <= *pnBufferLeft && nSrcTry <= MB_LEN_MAX; nSrcTry += sizeof(SourceT))
             nSrcTry <= *pnBufferLeft && nSrcTry <= MB_LEN_MAX; 
             nSrcTry += sizeof( SourceT ) )
    {
        size_t nSrcLeft = nSrcTry;
        size_t nBufLeft = *pnBufferLeft; // Try to find a character in 'n' items
@ -602,12 +582,7 @@ namespace /*Unique*/
        }
        else
        {
-                if( tss_ReverseConvert(
+            if (tss_ReverseConvert(convReverse, *ppSource, pSrc - *ppSource, *ppBuffer, pBuf - *ppBuffer))
                                convReverse,
                                *ppSource, 
                                pSrc - *ppSource, 
                                *ppBuffer, 
                                pBuf - *ppBuffer ) )
            {
                // Modify source items to return
@ -642,16 +617,17 @@ namespace /*Unique*/
 // NOTE: pBuffer should really have (nBufferItems+1) buffer items, because some
 //       platforms use the last character to NULL terminate.
 template<class BufferT, class SourceT, class ConvT>
-    int
+int tss_Converter(iconv_t        convForward,
    tss_Converter( iconv_t convForward,
                  iconv_t        convReverse,
-              BufferT* pBuffer, size_t nBufferItems,
+                  BufferT*       pBuffer,
-        const SourceT* pSource, size_t nSourceItems,
+                  size_t         nBufferItems,
                  const SourceT* pSource,
                  size_t         nSourceItems,
                  ConvT&         ConvertByte)
 {
    cDebug d("tss_Converter< BufferT, SourceT >()");
-#ifdef _DEBUG
+#    ifdef DEBUG
    for (size_t s = nBufferItems; s; s--)
        pBuffer[s] = 0xCD;
    d.TraceDebug("sizeof buffer: %d, sizeof source: %d\n", sizeof(BufferT), sizeof(SourceT));
@ -679,7 +655,8 @@ namespace /*Unique*/
        size_t   nbIconvSrc  = (size_t)nSourceLeft;
        size_t   nbIconvDest = (size_t)nBufferLeft;
-            size_t nConv = iconv( convForward,  (ICONV_SOURCE_TYPE**)&pIconvSrc, &nbIconvSrc, (char**)&pIconvDest, &nbIconvDest );
+        size_t nConv =
            iconv(convForward, (ICONV_SOURCE_TYPE**)&pIconvSrc, &nbIconvSrc, (char**)&pIconvDest, &nbIconvDest);
        if (nConv == -1)
        {
@ -698,7 +675,9 @@ namespace /*Unique*/
                    (char**)&pBuf,
                    &nBufferLeft
 #    if (!SUPPORTS_EXPLICIT_TEMPLATE_FUNC_INST)
-                        , BufferT(), SourceT()
+                    ,
                    BufferT(),
                    SourceT()
 #    endif
                );
        }
@ -732,11 +711,12 @@ namespace /*Unique*/
        }
    }
-        d.TraceDebug( "buffer out: %s\n", util_output_bytes( (void*)pBuffer, nBufferItems * sizeof(BufferT) - nBufferLeft ).c_str() );
+    d.TraceDebug("buffer out: %s\n",
                 util_output_bytes((void*)pBuffer, nBufferItems * sizeof(BufferT) - nBufferLeft).c_str());
    return nBufferItems - (nBufferLeft / sizeof(BufferT));
 }
-}//Unique
+} // namespace
 //- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 // cIconvConverter
@ -789,10 +769,7 @@ void cIconvConverter::Init()
    icFromDb = cIconvUtil::OpenHandle(cIconvUtil::GetCodePageID(), cIconvUtil::GetIconvDbIdentifier());
 }
-int
+int cIconvConverter::Convert(ntmbs_t pbz, size_t nBytes, const_ntdbs_t pwz, size_t nChars)
 cIconvConverter::Convert(
          ntmbs_t pbz, size_t nBytes,
    const_ntdbs_t pwz, size_t nChars )
 {
    cDebug d("cIconvConverter::Convert( ntdbs_t -> ntmbs_t )");
@ -817,10 +794,7 @@ cIconvConverter::Convert(
    return nConverted;
 }
-int
+int cIconvConverter::Convert(ntdbs_t pwz, size_t nch, const_ntmbs_t pbz, size_t nBytes)
 cIconvConverter::Convert( 
          ntdbs_t pwz, size_t nch, 
    const_ntmbs_t pbz, size_t nBytes )
 {
    cDebug d("cIconvConverter::Convert( ntmbs to ntdbs )");
@ -845,13 +819,6 @@ cIconvConverter::Convert(
 }
 /*
@ -990,10 +957,7 @@ void cDoubleIconvConverter::Init()
    icUTF8ToMb = cIconvUtil::OpenHandle(cIconvUtil::GetCodePageID(), cIconvUtil::GetMiddleIdentifier());
 }
-int
+int cDoubleIconvConverter::Convert(ntmbs_t pbz, size_t nBytes, const_ntdbs_t pwz, size_t nChars)
 cDoubleIconvConverter::Convert(
          ntmbs_t pbz, size_t nBytes,
    const_ntdbs_t pwz, size_t nChars )
 {
    cDebug d("cDoubleIconvConverter::Convert( ntdbs_t -> ntmbs_t )");
@ -1016,7 +980,7 @@ cDoubleIconvConverter::Convert(
    //
    size_t  nBufBytes = nChars * MB_LEN_MAX;
    ntmbs_t pszBuffer = (ntmbs_t)::operator new(nBufBytes + 1);
-    std::auto_ptr<mbchar_t> pBuf( pszBuffer );
+    TW_UNIQUE_PTR<mbchar_t>        pBuf(pszBuffer);
    //
    // do first conversion
@ -1051,10 +1015,7 @@ cDoubleIconvConverter::Convert(
    return nConverted;
 }
-int
+int cDoubleIconvConverter::Convert(ntdbs_t pwz, size_t nch, const_ntmbs_t pbz, size_t nBytes)
 cDoubleIconvConverter::Convert( 
          ntdbs_t pwz, size_t nch, 
    const_ntmbs_t pbz, size_t nBytes )
 {
    cDebug d("cDoubleIconvConverter::Convert( ntmbs to ntdbs )");
@ -1074,7 +1035,7 @@ cDoubleIconvConverter::Convert(
    //
    size_t  nBufBytes = nBytes * MB_LEN_MAX;
    ntmbs_t pszBuffer = (ntmbs_t)::operator new(nBufBytes + 1);
-    std::auto_ptr<mbchar_t> pBuf( pszBuffer );
+    TW_UNIQUE_PTR<mbchar_t>        pBuf(pszBuffer);
    //
    // do first conversion
@ -1166,9 +1127,7 @@ void cIconvUtil::ResetConverter( iconv_t ic )
    char*  p = 0;
    size_t s = 0;
-    size_t i =  iconv( ic,
+    size_t i = iconv(ic, (ICONV_SOURCE_TYPE**)&p, &s, &p, &s);
                    (ICONV_SOURCE_TYPE**) &p,
                    &s, &p, &s );
    if (i == (size_t)-1)
    {
        ASSERT(false);
@ -1209,7 +1168,6 @@ bool cIconvUtil::TestConverter( const char* pTo, const char* pFrom )
 #endif //TSS_USE_ICONV_CCONV16
 //- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 // cWcharIs32BitUcs2Converterer
 //- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
@ -1218,8 +1176,7 @@ namespace /*Unique*/
 {
 //-- Ensures 1-to-1 mb to wide character mapping by doing a reverse conversion
 //   and comparing the results
-    int 
+int tss_mbtowc(wchar_t* pwch, const mbchar_t* pch, size_t nBytes)
    tss_mbtowc( wchar_t* pwch, const mbchar_t* pch, size_t nBytes )
 {
    // convert forward
    int nNarrow = ::mbtowc(pwch, pch, nBytes);
@ -1233,8 +1190,7 @@ namespace /*Unique*/
        return -1;
    // compare...
-        if( ( nNarrow > (int)nBytes ) ||
+    if ((nNarrow > (int)nBytes) || (0 != memcmp(ach, pch, nNarrow)))
            ( 0 != memcmp( ach, pch, nNarrow ) ) )
        return -1;
    // success!
@ -1243,8 +1199,7 @@ namespace /*Unique*/
 //-- Ensures 1-to-1 mb to wide character mapping by doing a reverse conversion
 //   and comparing the results
-    int 
+int tss_wctomb(mbchar_t* pch, wchar_t wch)
    tss_wctomb( mbchar_t* pch, wchar_t wch )
 {
    // convert forward
    int nWide = ::wctomb(pch, wch);
@ -1265,8 +1220,7 @@ namespace /*Unique*/
    return nWide;
 }
-    int
+int tss_wcstombs(ntmbs_t pbz, const_ntwcs_t pwz, size_t nCount)
    tss_wcstombs( ntmbs_t pbz, const_ntwcs_t pwz, size_t nCount )
 {
    cDebug d("tss_wcstombs");
@ -1286,8 +1240,7 @@ namespace /*Unique*/
 }
-    int
+int tss_mbstowcs(ntwcs_t pwz, const_ntmbs_t pbz, size_t nBytes)
    tss_mbstowcs( ntwcs_t pwz, const_ntmbs_t pbz, size_t nBytes )
 {
    cDebug d("tss_mbstowcs");
@ -1299,9 +1252,7 @@ namespace /*Unique*/
        N = tss_mbtowc(pwz, pbz, end - pbz);
        if (N == (size_t)-1)
        {
-                d.TraceDebug( 
+            d.TraceDebug("manually converting %X...\n", cConvertUtil::ConvertNonChar(*pbz));
                    "manually converting %X...\n", 
                    cConvertUtil::ConvertNonChar( *pbz ) );
            *pwz = (wchar_t)cConvertUtil::ConvertNonChar(*pbz);
            N    = 1;
@ -1310,14 +1261,11 @@ namespace /*Unique*/
    return (int)nConv;
 }
-}//Unique
+} // namespace
 #if WCHAR_IS_32_BITS
-int
+int cWcharIs32BitUcs2Converterer::Convert(ntmbs_t pbz, size_t nBytes, const_ntdbs_t pwz, size_t nCount)
 cWcharIs32BitUcs2Converterer::Convert(
          ntmbs_t pbz, size_t nBytes,
    const_ntdbs_t pwz, size_t nCount )
 {
    if (pbz == 0 || (pwz == 0 && nCount))
        throw eConverterFatal(TSS_GetString(cCore, core::STR_ERR_ISNULL));
@ -1348,10 +1296,7 @@ cWcharIs32BitUcs2Converterer::Convert(
    return nConv;
 }
-int
+int cWcharIs32BitUcs2Converterer::Convert(ntdbs_t pwz, size_t nCount, const_ntmbs_t pbz, size_t nBytes)
 cWcharIs32BitUcs2Converterer::Convert(
          ntdbs_t pwz, size_t nCount,
    const_ntmbs_t pbz, size_t nBytes )
 {
    cDebug d("cWcharIs32BitUcs2Converterer::Convert( ntmbs to ntdbs )");
@ -1396,10 +1341,7 @@ cWcharIs32BitUcs2Converterer::Convert(
 #if WCHAR_IS_16_BITS
-int 
+int cWcharIs16BitUcs2Converterer::Convert(ntmbs_t pbz, size_t nbMB, const_ntdbs_t pwz, size_t nch)
 cWcharIs16BitUcs2Converterer::Convert(
          ntmbs_t pbz, size_t  nbMB,
    const_ntdbs_t pwz, size_t  nch )
 {
    // Validate Input
    if (pbz == 0 || (pwz == 0 && nch))
@ -1421,10 +1363,7 @@ cWcharIs16BitUcs2Converterer::Convert(
    return nConverted;
 }
-int
+int cWcharIs16BitUcs2Converterer::Convert(ntdbs_t pwz, size_t nch, const_ntmbs_t pbz, size_t nBytes)
 cWcharIs16BitUcs2Converterer::Convert(
          ntdbs_t pwz, size_t nch,
    const_ntmbs_t pbz, size_t nBytes )
 {
    // Validate Input
    if (pbz == 0 || (pwz == 0 && nch))
@ -1444,11 +1383,7 @@ cWcharIs16BitUcs2Converterer::Convert(
 #endif // WCHAR_IS_16_BITS
-
+int cGoodEnoughConverterer::Convert(ntmbs_t pbz, size_t nBytes, const_ntdbs_t pwz, size_t nCount)
 int
 cGoodEnoughConverterer::Convert(
          ntmbs_t pbz, size_t nBytes,
    const_ntdbs_t pwz, size_t nCount )
 {
    if (pbz == 0 || (pwz == 0 && nCount))
        throw eConverterFatal(TSS_GetString(cCore, core::STR_ERR_ISNULL));
@ -1479,10 +1414,7 @@ cGoodEnoughConverterer::Convert(
    return ((size_t)at - (size_t)pbz);
 }
-int
+int cGoodEnoughConverterer::Convert(ntdbs_t pwz, size_t nCount, const_ntmbs_t pbz, size_t nBytes)
 cGoodEnoughConverterer::Convert(
          ntdbs_t pwz, size_t nCount,
    const_ntmbs_t pbz, size_t nBytes )
 {
    // Validate Input
    if (pwz == 0 || (pbz == 0 && nBytes))
@ -1525,9 +1457,7 @@ dbchar_t cConvertUtil::ConvertNonChar( mbchar_t ch )
    dbchar_t wch = (dbchar_t)(tss::util::char_to_size(ch) + TSS_UCS2_RESERVED_START);
-    d.TraceDebug( "Converted 0x%08X to 0x%08X\n", 
+    d.TraceDebug("Converted 0x%08X to 0x%08X\n", tss::util::char_to_size(ch), tss::util::char_to_size(wch));
            tss::util::char_to_size( ch ), 
            tss::util::char_to_size( wch ) );
    return (wch);
 }
@ -1544,9 +1474,7 @@ mbchar_t cConvertUtil::ConvertNonChar( dbchar_t wch )
    mbchar_t ch = (mbchar_t)(wch - TSS_UCS2_RESERVED_START);
-    d.TraceDebug( "Converted 0x%08X to 0x%08X\n", 
+    d.TraceDebug("Converted 0x%08X to 0x%08X\n", tss::util::char_to_size(wch), tss::util::char_to_size(ch));
            tss::util::char_to_size( wch ), 
            tss::util::char_to_size( ch ) );
    return (ch);
 }
@ -1554,13 +1482,11 @@ mbchar_t cConvertUtil::ConvertNonChar( dbchar_t wch )
 bool cConvertUtil::ValueInReservedRange(dbchar_t wch)
 {
    size_t s = tss::util::char_to_size(wch);
-    return( ( s >= TSS_UCS2_RESERVED_START ) &&
+    return ((s >= TSS_UCS2_RESERVED_START) && (s <= TSS_UCS2_RESERVED_END));
            ( s <= TSS_UCS2_RESERVED_END ) );
 }
 bool cConvertUtil::ValueInReservedRange(mbchar_t ch)
 {
    size_t s = tss::util::char_to_size(ch);
-    return( ( s >= TSS_HIGH_ASCII_START ) &&
+    return ((s >= TSS_HIGH_ASCII_START) && (s <= TSS_HIGH_ASCII_END));
            ( s <= TSS_HIGH_ASCII_END ) );
 }
--- a/src/core/codeconvert.h
+++ b/src/core/codeconvert.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -91,42 +91,37 @@ TSS_EXCEPTION( eConverterUnknownCodepage,       eConverter );
 class iCodeConverter
 {
 public:
    static iCodeConverter* GetInstance(); // Singleton
    static void            Finit();
    /// Subclass Responsibilities
-        virtual
+    virtual int Convert(ntmbs_t,            // NTMBS buffer
        int 
        Convert( 
            ntmbs_t,                // NTMBS buffer
                        size_t,             // Capacity in mbchar_t's (bytes)
                        const_ntdbs_t,      // null terminated two-byte wide character (UCS2 rep)
                        size_t nCount) = 0; // Amount to convert in dbchar_t's
    // returns number of buffer items converted, -1 on error
-        virtual
+    virtual int Convert(ntdbs_t,       // NTDBS (Null-terminated two byte sequence) buf
        int 
        Convert( 
            ntdbs_t,                // NTDBS (Null-terminated two byte sequence) buf
                        size_t,        // Capacity in dbchar_t's
                        const_ntmbs_t, // Null-terminated multi-byte sequence
                        size_t) = 0;   // Capacity in mbchar_t's (bytes)
    // returns number of buffer items converted, -1 on error
 protected:
-
+    iCodeConverter()
-        iCodeConverter() {}
+    {
-        virtual ~iCodeConverter() {}
+    }
    virtual ~iCodeConverter()
    {
    }
 private:
    static iCodeConverter* CreateConverter();
    static iCodeConverter* CreateGoodEnoughConverter();
    static iCodeConverter* m_pInst;
 };
@ -147,7 +142,6 @@ class iCodeConverter
 class cIconvUtil
 {
 public:
    static const char* GetCodePageID(); // gets code page id for current locale, throws if error
    static bool        GetCodePageID(const char** ppCP);
    static const char* GetIconvDbIdentifier();
@ -162,7 +156,6 @@ class cIconvUtil
 class cIconvConverter : public iCodeConverter
 {
 public:
    static bool Test(); // is there a conversion for the current codepage?
    virtual int Convert(ntmbs_t, size_t, const_ntdbs_t, size_t);
@ -181,7 +174,6 @@ class cIconvConverter : public iCodeConverter
 class cDoubleIconvConverter : public iCodeConverter
 {
 public:
    static bool Test(); // is there a conversion for the current codepage?
    virtual int Convert(ntmbs_t, size_t, const_ntdbs_t, size_t);
@ -191,7 +183,6 @@ class cDoubleIconvConverter : public iCodeConverter
    virtual ~cDoubleIconvConverter();
 private:
    void Init();
    iconv_t icMbToUTF8;
@ -221,7 +212,9 @@ public:
    virtual int Convert(ntmbs_t, size_t, const_ntdbs_t, size_t);
    virtual int Convert(ntdbs_t, size_t, const_ntmbs_t, size_t);
-    virtual ~cWcharIs32BitUcs2Converterer() {}
+    virtual ~cWcharIs32BitUcs2Converterer()
    {
    }
 };
 #endif // WCHAR_IS_32_BITS
@ -241,7 +234,9 @@ public:
    virtual int Convert(ntmbs_t, size_t, const_ntdbs_t, size_t);
    virtual int Convert(ntdbs_t, size_t, const_ntmbs_t, size_t);
-    virtual ~cWcharIs16BitUcs2Converterer() {}
+    virtual ~cWcharIs16BitUcs2Converterer()
    {
    }
 };
 #endif // WCHAR_IS_16_BITS
@ -254,7 +249,9 @@ public:
    virtual int Convert(ntmbs_t, size_t, const_ntdbs_t, size_t);
    virtual int Convert(ntdbs_t, size_t, const_ntmbs_t, size_t);
-    virtual ~cGoodEnoughConverterer() {}
+    virtual ~cGoodEnoughConverterer()
    {
    }
 };
@ -267,6 +264,7 @@ class cConvertUtil
        TSS_HIGH_ASCII_START    = 0x0080u,
        TSS_HIGH_ASCII_END      = 0x00FFu
    };
 public:
    static dbchar_t ConvertNonChar(mbchar_t ch);
    static mbchar_t ConvertNonChar(dbchar_t ch);
@ -277,4 +275,3 @@ public:
 #endif //__CODECONVERT_H
--- a/src/core/core.cpp
+++ b/src/core/core.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -60,5 +60,7 @@ cCore::cCore()
    iCodeConverter::GetInstance();
 }
-
+cCore::~cCore()
-// eof: core.cpp
+{
    iCodeConverter::Finit();
 }
--- a/src/core/core.h
+++ b/src/core/core.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -52,10 +52,9 @@ TSS_BeginPackage( cCore )
    TSS_DECLARE_STRINGTABLE;
 public:
 cCore();
 ~cCore();
 TSS_EndPackage(cCore)
 #endif //__CORE_H
--- a/src/core/coreerrors.cpp
+++ b/src/core/coreerrors.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -98,11 +98,9 @@ TSS_REGISTER_ERROR( eFileFlush(),       _T("File could not be flushed.") )
 TSS_REGISTER_ERROR(eFileRewind(), _T("File could not be rewound."))
-/// Win32
+/// General API failures
 #if IS_UNIX
 TSS_REGISTER_ERROR(eUnix(), _T("Unix API failure."))
-#endif
+
 /// FSServices
@ -112,7 +110,8 @@ TSS_REGISTER_ERROR( eFSServicesGeneric(),_T("File system error.") )
 /// Serializer
-TSS_REGISTER_ERROR( eSerializerUnknownType(),           _T("Unknown type encountered in file.\nFile format may not be valid for this platform.") )
+TSS_REGISTER_ERROR(eSerializerUnknownType(),
                   _T("Unknown type encountered in file.\nFile format may not be valid for this platform."))
 TSS_REGISTER_ERROR(eSerializerInputStreamFmt(), _T("Invalid input stream format."))
 TSS_REGISTER_ERROR(eSerializerOutputStreamFmt(), _T("Invalid output stream format."))
 TSS_REGISTER_ERROR(eSerializerInputStremTypeArray(), _T("A bad index was encountered in file."))
@ -165,4 +164,3 @@ TSS_REGISTER_ERROR( eUnknownEscapeEncoding(),   _T("Unknown encoding in display
 TSS_END_ERROR_REGISTRATION()
--- a/src/core/coreerrors.h
+++ b/src/core/coreerrors.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -45,4 +45,3 @@ TSS_DECLARE_ERROR_REGISTRATION( core )
 #endif //__COREERRORS_H
--- a/src/core/corestrings.cpp
+++ b/src/core/corestrings.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -44,14 +44,11 @@ TSS_BeginStringtable( cCore )
    TSS_StringEntry(core::STR_ERR2_ARCH_CRYPTO_ERR, _T("File could not be decrypted.")),
    TSS_StringEntry(core::STR_ERR2_BAD_ARG_PARAMS, _T("Argument: ")),
    TSS_StringEntry(core::STR_ERROR_ERROR, _T("### Error")),
-    TSS_StringEntry( core::STR_ERROR_WARNING,        _T("### Warning") ),
+    TSS_StringEntry(core::STR_ERROR_WARNING, _T("### Warning")), TSS_StringEntry(core::STR_ERROR_COLON, _T(":")),
-    TSS_StringEntry( core::STR_ERROR_COLON,          _T(":") ),
+    TSS_StringEntry(core::STR_ERROR_HEADER, _T("### ")), TSS_StringEntry(core::STR_ERROR_EXITING, _T("Exiting...")),
    TSS_StringEntry( core::STR_ERROR_HEADER,         _T("### ") ),
    TSS_StringEntry( core::STR_ERROR_EXITING,        _T("Exiting...") ),
    TSS_StringEntry(core::STR_ERROR_CONTINUING, _T("Continuing...")),
    TSS_StringEntry(core::STR_ERR2_FILENAME, _T("Filename: ")),
-    TSS_StringEntry( core::STR_ERROR_FILENAME,       _T("Filename: ") ),
+    TSS_StringEntry(core::STR_ERROR_FILENAME, _T("Filename: ")), TSS_StringEntry(core::STR_UNKNOWN, _T("Unknown")),
    TSS_StringEntry( core::STR_UNKNOWN,              _T("Unknown") ),
    TSS_StringEntry(core::STR_NUMBER_TOO_BIG, _T("Number too big")),
    TSS_StringEntry(core::STR_SIGNAL, _T("Software interrupt forced exit:")),
    TSS_StringEntry(core::STR_NEWLINE, _T("\n")),
@ -59,7 +56,9 @@ TSS_BeginStringtable( cCore )
    TSS_StringEntry(core::STR_MEMARCHIVE_ERRSTR, _T("")),
    TSS_StringEntry(core::STR_ENDOFTIME, _T("Tripwire is not designed to run past the year 2038.\nNow exiting...")),
    TSS_StringEntry(core::STR_UNKNOWN_TIME, _T("Unknown time")),
-    TSS_StringEntry( core::STR_BAD_TEMPDIRECTORY,    _T("Solution: Check existence/permissions for directory specified by TEMPDIRECTORY in config file") ),
+    TSS_StringEntry(
        core::STR_BAD_TEMPDIRECTORY,
        _T("Solution: Check existence/permissions for directory specified by TEMPDIRECTORY in config file")),
    /// Particularly useful for eCharacter and eCharacterEncoding
    TSS_StringEntry(core::STR_ERR_ISNULL, _T("Argument cannot be null.")),
@ -68,6 +67,3 @@ TSS_BeginStringtable( cCore )
    TSS_StringEntry(core::STR_ERR_BADCHAR, _T("Input contained an invalid character."))
        TSS_EndStringtable(cCore)
 // eof: corestrings.cpp
--- a/src/core/corestrings.h
+++ b/src/core/corestrings.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -48,34 +48,16 @@
 TSS_BeginStringIds(core)
    STR_ERR2_ARCH_CRYPTO_ERR,
-    STR_ERR2_BAD_ARG_PARAMS,
+    STR_ERR2_BAD_ARG_PARAMS, STR_ERROR_ERROR, STR_ERROR_WARNING, STR_ERROR_COLON, STR_ERROR_HEADER, STR_ERROR_EXITING,
-    STR_ERROR_ERROR,
+    STR_ERROR_CONTINUING, STR_ERR2_FILENAME, STR_ERROR_FILENAME, STR_NUMBER_TOO_BIG, STR_UNKNOWN, STR_SIGNAL,
-    STR_ERROR_WARNING,
+    STR_NEWLINE, STR_MEMARCHIVE_FILENAME, STR_MEMARCHIVE_ERRSTR, STR_ENDOFTIME, STR_UNKNOWN_TIME, STR_BAD_TEMPDIRECTORY,
    STR_ERROR_COLON,
    STR_ERROR_HEADER,
    STR_ERROR_EXITING,
    STR_ERROR_CONTINUING,
    STR_ERR2_FILENAME,
    STR_ERROR_FILENAME,
    STR_NUMBER_TOO_BIG,
    STR_UNKNOWN,
    STR_SIGNAL,
    STR_NEWLINE,
    STR_MEMARCHIVE_FILENAME,
    STR_MEMARCHIVE_ERRSTR,
    STR_ENDOFTIME,
    STR_UNKNOWN_TIME,
    STR_BAD_TEMPDIRECTORY,
    /// Particularly useful for eCharacterSet and eCharacterEncoding
-    STR_ERR_ISNULL,
+    STR_ERR_ISNULL, STR_ERR_OVERFLOW, STR_ERR_UNDERFLOW,
    STR_ERR_OVERFLOW,
    STR_ERR_UNDERFLOW,
    STR_ERR_BADCHAR
    TSS_EndStringIds(core)
 #endif //__CORESTRINGS_H
--- a/src/core/crc32.cpp
+++ b/src/core/crc32.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 // 
--- a/src/core/crc32.h
+++ b/src/core/crc32.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 // 
--- a/src/core/debug.cpp
+++ b/src/core/debug.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -63,7 +63,7 @@ cDebug::cDebug(const char* label)
 cDebug::cDebug(const cDebug& rhs)
 {
-    strcpy(mLabel, rhs.mLabel);
+    strncpy(mLabel, rhs.mLabel, MAX_LABEL);
 }
 cDebug::~cDebug()
@ -86,7 +86,6 @@ void cDebug::Trace(int levelNum, const char* format, ...)
    va_start(args, format);
    DoTrace(format, args);
    va_end(args);
 }
@ -102,7 +101,7 @@ void cDebug::DoTrace(const char *format, va_list &args)
    char   out[2048];
    size_t guard2 = 0xBABABABA;
-    vsprintf(out, format, args);
+    vsnprintf(out, 2048, format, args);
    ASSERT(guard1 == 0xBABABABA && guard2 == 0xBABABABA); // string was too long
    ASSERT(strlen(out) < 1024);
@ -231,7 +230,8 @@ bool cDebug::AddOutTarget(OutTarget target)
        mOutMask |= OUT_STDOUT;
    if (target == OUT_TRACE)
        mOutMask |= OUT_TRACE;
-    if (target == OUT_FILE) {
+    if (target == OUT_FILE)
    {
        mOutMask |= OUT_FILE;
        return false;
    }
@ -286,10 +286,12 @@ bool cDebug::SetOutputFile(const char* filename)
    //make sure info. will not be clobbered.
    //Should be open now- if not, abort.
-    if (!logfile) {
+    if (!logfile)
    {
        mOutMask ^= OUT_FILE;
        return false;
-    } else
+    }
    else
        mOutMask |= OUT_FILE;
    return true;
 }
@ -304,10 +306,10 @@ void cDebug::DebugOut( const char* lpOutputString, ... )
    // create the output buffer
    va_list args;
    va_start(args, lpOutputString);
-    vsprintf(buf, lpOutputString, args);
+    vsnprintf(buf, 2048, lpOutputString, args);
    va_end(args);
-	#ifdef _DEBUG
+#    ifdef DEBUG
    TCERR << buf;
 #    endif //_DEBUG
@ -318,4 +320,3 @@ void cDebug::DebugOut( const char* lpOutputString, ... )
 //////////////////////////////////////////////////////////////////////////////////
 // ASSERT macro support function
 //////////////////////////////////////////////////////////////////////////////////
--- a/src/core/debug.h
+++ b/src/core/debug.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -40,8 +40,6 @@
 #include <assert.h>
 #include <iostream>
 /* Do it in this order, because autoconf checks for <stdarg.h>
 * first  i.e. if HAVE_VARARGS_H is defined, it is only because
@ -125,7 +123,6 @@ public:
    // Outputs based on levelnum.  If levelnum <= global debug, print.
 public:
    static bool AddOutTarget(OutTarget target);
    static bool RemoveOutTarget(OutTarget target);
    // used to specify the out target....
@ -144,7 +141,10 @@ public:
    // than that will have unpredictable and probably bad results
 private:
 #ifdef DEBUG
-    enum { MAX_LABEL = 128 };
+    enum
    {
        MAX_LABEL = 128
    };
    static int           mDebugLevel;
    static uint32        mOutMask;
@ -156,11 +156,11 @@ private:
 #endif
 };
-#ifdef _DEBUG
+#ifdef DEBUG
 #    define TRACE cDebug::DebugOut
 #else
 #    define TRACE 1 ? (void)0 : cDebug::DebugOut
-#endif // _DEBUG
+#endif // DEBUG
 //////////////////////////////////////////////////////////////////////////////////
 // inline implementation
@ -181,44 +181,78 @@ inline int cDebug::GetDebugLevel()
 #    else // DEBUG
-inline      cDebug::cDebug          (const char *) {}
+inline cDebug::cDebug(const char*)
-inline      cDebug::~cDebug         () {}
+{
-inline      cDebug::cDebug          (const cDebug&) {}
+}
-inline void cDebug::TraceAlways     (const char *, ...) {}
+inline cDebug::~cDebug()
-inline void cDebug::TraceError      (const char *, ...) {}
+{
-inline void cDebug::TraceWarning    (const char *, ...) {}
+}
-inline void cDebug::TraceDebug      (const char *, ...) {}
+inline cDebug::cDebug(const cDebug&)
-inline void cDebug::TraceDetail     (const char *, ...) {}
+{
-inline void cDebug::TraceNever      (const char *, ...) {}
+}
-inline void cDebug::TraceVaArgs     (int, const char *, va_list &) {}
+inline void cDebug::TraceAlways(const char*, ...)
-inline void cDebug::Trace           (int, const char*, ...) {}
+{
-inline bool cDebug::AddOutTarget    (OutTarget) { return false; }
+}
-inline bool cDebug::RemoveOutTarget (OutTarget) { return false; }
+inline void cDebug::TraceError(const char*, ...)
-inline bool cDebug::HasOutTarget    (OutTarget) { return false; }
+{
-inline bool cDebug::SetOutputFile   (const char*) { return false; }
+}
-inline void cDebug::SetDebugLevel   (int) {}
+inline void cDebug::TraceWarning(const char*, ...)
-inline int  cDebug::GetDebugLevel   (void) { return 0; }
+{
-inline void cDebug::DebugOut        ( const char*, ... ) {}
+}
 inline void cDebug::TraceDebug(const char*, ...)
 {
 }
 inline void cDebug::TraceDetail(const char*, ...)
 {
 }
 inline void cDebug::TraceNever(const char*, ...)
 {
 }
 inline void cDebug::TraceVaArgs(int, const char*, va_list&)
 {
 }
 inline void cDebug::Trace(int, const char*, ...)
 {
 }
 inline bool cDebug::AddOutTarget(OutTarget)
 {
    return false;
 }
 inline bool cDebug::RemoveOutTarget(OutTarget)
 {
    return false;
 }
 inline bool cDebug::HasOutTarget(OutTarget)
 {
    return false;
 }
 inline bool cDebug::SetOutputFile(const char*)
 {
    return false;
 }
 inline void cDebug::SetDebugLevel(int)
 {
 }
 inline int cDebug::GetDebugLevel(void)
 {
    return 0;
 }
 inline void cDebug::DebugOut(const char*, ...)
 {
 }
 #    endif // DEBUG
 //////////////////////////////////////////////////////////////////////////////////
 // ASSERT macro
 //////////////////////////////////////////////////////////////////////////////////
 #if IS_UNIX
 #    define ASSERTMSG(exp, s) assert((exp) != 0)
 #    define ASSERT(exp) assert((exp) != 0)
    // if we are not windows we will just use the standard assert()
 #    define TSS_DebugBreak() ASSERT(false);
 #endif// IS_UNIX
 #    ifndef ASSERT
 #        error ASSERT did not get defined!!!
 #    endif
@ -232,4 +266,3 @@ inline void cDebug::DebugOut        ( const char*, ... ) {}
 #    endif
 #endif //__DEBUG_H
--- a/src/core/displayencoder.cpp
+++ b/src/core/displayencoder.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -66,8 +66,7 @@
 //////////////////////////////////////////////////////////////////////////////
-inline bool IsSingleTCHAR(  TSTRING::const_iterator first, 
+inline bool IsSingleTCHAR(TSTRING::const_iterator first, TSTRING::const_iterator last)
                            TSTRING::const_iterator last )
 {
    return (first + 1 == last);
 }
@ -81,23 +80,21 @@ inline bool IsSingleTCHAR(  TSTRING::const_iterator first,
 class iCharEncoder
 {
 public:
-        virtual bool    NeedsEncoding(  TSTRING::const_iterator first, 
+    virtual ~iCharEncoder(){};
-                                        TSTRING::const_iterator last ) const = 0;
+
    virtual bool NeedsEncoding(TSTRING::const_iterator first, TSTRING::const_iterator last) const = 0;
    // Determines if character identified by [first,last) needs encoding.
    // Returns true if it does.
-        virtual TSTRING EncodeRoundtrip(TSTRING::const_iterator first, 
+    virtual TSTRING EncodeRoundtrip(TSTRING::const_iterator first, TSTRING::const_iterator last) const = 0;
                                        TSTRING::const_iterator last ) const = 0;
    // Encodes character identified by [first,last) in such a way that it
    // can be decoded by Decode().  Returns encoded character sequence.
-        virtual TSTRING EncodePretty(   TSTRING::const_iterator first, 
+    virtual TSTRING EncodePretty(TSTRING::const_iterator first, TSTRING::const_iterator last) const = 0;
                                        TSTRING::const_iterator last ) const = 0;
    // Encodes character identified by [first,last) in a manner that is not roundtrip,
    // but looks good.  Returns encoded character sequence.
-        virtual TSTRING Decode(         TSTRING::const_iterator* pcur, 
+    virtual TSTRING Decode(TSTRING::const_iterator* pcur, const TSTRING::const_iterator end) const = 0;
                                  const TSTRING::const_iterator end  ) const = 0;
    // Decodes character sequence beginning with '*pcur' and ending before 'end'.
    // Returns decoded character or sequence of characters.  Advances *pcur beyond
    // the last character decoded.
@ -105,10 +102,12 @@ class iCharEncoder
    virtual TCHAR Identifier() const = 0;
-        static TCHAR    EscapeChar() { return char_escape; }
+    static TCHAR EscapeChar()
    {
        return char_escape;
    }
 protected:
    static TCHAR char_escape;
 };
@ -116,19 +115,20 @@ class iCharEncoder
 class cNonNarrowableCharEncoder : public iCharEncoder
 {
 public:
-        virtual bool    NeedsEncoding(  TSTRING::const_iterator first, 
+    virtual ~cNonNarrowableCharEncoder()
-                                        TSTRING::const_iterator last ) const;
+    {
    }
-        virtual TSTRING EncodeRoundtrip(TSTRING::const_iterator first, 
+    virtual bool NeedsEncoding(TSTRING::const_iterator first, TSTRING::const_iterator last) const;
                                        TSTRING::const_iterator last ) const;
-        virtual TSTRING EncodePretty(   TSTRING::const_iterator first, 
+    virtual TSTRING EncodeRoundtrip(TSTRING::const_iterator first, TSTRING::const_iterator last) const;
                                        TSTRING::const_iterator last ) const;
-        virtual TSTRING Decode(         TSTRING::const_iterator* cur, 
+    virtual TSTRING EncodePretty(TSTRING::const_iterator first, TSTRING::const_iterator last) const;
-                                  const TSTRING::const_iterator end  ) const;
+
    virtual TSTRING Decode(TSTRING::const_iterator* cur, const TSTRING::const_iterator end) const;
    virtual TCHAR Identifier() const;
 private:
    static TCHAR char_identifier;
    static TCHAR char_replace;
@ -138,22 +138,22 @@ class cNonNarrowableCharEncoder : public iCharEncoder
 class cNonPrintableCharEncoder : public iCharEncoder
 {
 public:
-        cNonPrintableCharEncoder( bool f_allowWS )
+    cNonPrintableCharEncoder(bool f_allowWS) : m_allowWS(f_allowWS){};
            : m_allowWS( f_allowWS ) {};
-        virtual bool    NeedsEncoding(  TSTRING::const_iterator first, 
+    virtual ~cNonPrintableCharEncoder()
-                                        TSTRING::const_iterator last ) const;
+    {
    }
-        virtual TSTRING EncodeRoundtrip(TSTRING::const_iterator first, 
+    virtual bool NeedsEncoding(TSTRING::const_iterator first, TSTRING::const_iterator last) const;
                                        TSTRING::const_iterator last ) const;
-        virtual TSTRING EncodePretty(   TSTRING::const_iterator first, 
+    virtual TSTRING EncodeRoundtrip(TSTRING::const_iterator first, TSTRING::const_iterator last) const;
                                        TSTRING::const_iterator last ) const;
-        virtual TSTRING Decode(         TSTRING::const_iterator* cur, 
+    virtual TSTRING EncodePretty(TSTRING::const_iterator first, TSTRING::const_iterator last) const;
-                                  const TSTRING::const_iterator end  ) const;
+
    virtual TSTRING Decode(TSTRING::const_iterator* cur, const TSTRING::const_iterator end) const;
    virtual TCHAR Identifier() const;
 private:
    static TCHAR char_identifier;
    static TCHAR char_replace;
@ -164,19 +164,20 @@ class cNonPrintableCharEncoder : public iCharEncoder
 class cQuoteCharEncoder : public iCharEncoder
 {
 public:
-        virtual bool    NeedsEncoding(  TSTRING::const_iterator first, 
+    virtual ~cQuoteCharEncoder()
-                                        TSTRING::const_iterator last ) const;
+    {
    }
-        virtual TSTRING EncodeRoundtrip(TSTRING::const_iterator first, 
+    virtual bool NeedsEncoding(TSTRING::const_iterator first, TSTRING::const_iterator last) const;
                                        TSTRING::const_iterator last ) const;
-        virtual TSTRING EncodePretty(   TSTRING::const_iterator first, 
+    virtual TSTRING EncodeRoundtrip(TSTRING::const_iterator first, TSTRING::const_iterator last) const;
                                        TSTRING::const_iterator last ) const;
-        virtual TSTRING Decode(         TSTRING::const_iterator* cur, 
+    virtual TSTRING EncodePretty(TSTRING::const_iterator first, TSTRING::const_iterator last) const;
-                                  const TSTRING::const_iterator end  ) const;
+
    virtual TSTRING Decode(TSTRING::const_iterator* cur, const TSTRING::const_iterator end) const;
    virtual TCHAR Identifier() const;
 private:
    static TCHAR char_test;
    static TCHAR char_identifier;
@ -187,19 +188,20 @@ class cQuoteCharEncoder : public iCharEncoder
 class cBackslashCharEncoder : public iCharEncoder
 {
 public:
-        virtual bool    NeedsEncoding(  TSTRING::const_iterator first, 
+    virtual ~cBackslashCharEncoder()
-                                        TSTRING::const_iterator last ) const;
+    {
    }
-        virtual TSTRING EncodeRoundtrip(TSTRING::const_iterator first, 
+    virtual bool NeedsEncoding(TSTRING::const_iterator first, TSTRING::const_iterator last) const;
                                        TSTRING::const_iterator last ) const;
-        virtual TSTRING EncodePretty(   TSTRING::const_iterator first, 
+    virtual TSTRING EncodeRoundtrip(TSTRING::const_iterator first, TSTRING::const_iterator last) const;
                                        TSTRING::const_iterator last ) const;
-        virtual TSTRING Decode(         TSTRING::const_iterator* cur, 
+    virtual TSTRING EncodePretty(TSTRING::const_iterator first, TSTRING::const_iterator last) const;
-                                  const TSTRING::const_iterator end  ) const;
+
    virtual TSTRING Decode(TSTRING::const_iterator* cur, const TSTRING::const_iterator end) const;
    virtual TCHAR Identifier() const;
 private:
    static TCHAR char_test;
    static TCHAR char_identifier;
@ -231,18 +233,13 @@ TCHAR   cNonPrintableCharEncoder::char_replace = _T('?');
 // TESTS
 //////////////////////////////////////////////////////////////////////////////
-bool cNonNarrowableCharEncoder::NeedsEncoding( 
+bool cNonNarrowableCharEncoder::NeedsEncoding(TSTRING::const_iterator first, TSTRING::const_iterator last) const
                                    TSTRING::const_iterator first, 
                                    TSTRING::const_iterator last ) const
 {
    return false; // all chars are narrow
 }
-
+bool cNonPrintableCharEncoder::NeedsEncoding(TSTRING::const_iterator first, TSTRING::const_iterator last) const
 bool cNonPrintableCharEncoder::NeedsEncoding( 
                                    TSTRING::const_iterator first, 
                                    TSTRING::const_iterator last ) const
 {
    // TODO:BAM -- handle this with mb chars
    // std::isprint<wchar_t> does a wctob() on the wchar!!?!?!
@ -274,26 +271,14 @@ bool cNonPrintableCharEncoder::NeedsEncoding(
    return cCharEncoderUtil::IsPrintable(*first);
 }
-bool cQuoteCharEncoder::NeedsEncoding( 
+bool cQuoteCharEncoder::NeedsEncoding(TSTRING::const_iterator first, TSTRING::const_iterator last) const
                                    TSTRING::const_iterator first, 
                                    TSTRING::const_iterator last ) const
 {
-    return( 
+    return (IsSingleTCHAR(first, last) && (*first == char_test));
            IsSingleTCHAR( first, last )
            &&
            ( *first == char_test )
          );
 }
-bool cBackslashCharEncoder::NeedsEncoding( 
+bool cBackslashCharEncoder::NeedsEncoding(TSTRING::const_iterator first, TSTRING::const_iterator last) const
                                    TSTRING::const_iterator first, 
                                    TSTRING::const_iterator last ) const
 {
-    return( 
+    return (IsSingleTCHAR(first, last) && (*first == char_test));
            IsSingleTCHAR( first, last )
            &&
            ( *first == char_test )
          );
 }
 //////////////////////////////////////////////////////////////////////////////
@ -301,9 +286,7 @@ bool cBackslashCharEncoder::NeedsEncoding(
 //////////////////////////////////////////////////////////////////////////////
-TSTRING cNonNarrowableCharEncoder::EncodeRoundtrip( 
+TSTRING cNonNarrowableCharEncoder::EncodeRoundtrip(TSTRING::const_iterator first, TSTRING::const_iterator last) const
                                    TSTRING::const_iterator first, 
                                    TSTRING::const_iterator last ) const
 {
    TSTRING str;
@ -315,9 +298,7 @@ TSTRING cNonNarrowableCharEncoder::EncodeRoundtrip(
 }
-TSTRING cNonPrintableCharEncoder::EncodeRoundtrip( 
+TSTRING cNonPrintableCharEncoder::EncodeRoundtrip(TSTRING::const_iterator first, TSTRING::const_iterator last) const
                                    TSTRING::const_iterator first, 
                                    TSTRING::const_iterator last ) const
 {
    ASSERT(IsSingleTCHAR(first, last)); // non-prints are single char (see NOTE above)
@ -331,9 +312,7 @@ TSTRING cNonPrintableCharEncoder::EncodeRoundtrip(
 }
-TSTRING cQuoteCharEncoder::EncodeRoundtrip( 
+TSTRING cQuoteCharEncoder::EncodeRoundtrip(TSTRING::const_iterator first, TSTRING::const_iterator last) const
                                    TSTRING::const_iterator first, 
                                    TSTRING::const_iterator last ) const
 {
    // should just be a quote
    ASSERT(IsSingleTCHAR(first, last));
@ -348,10 +327,7 @@ TSTRING cQuoteCharEncoder::EncodeRoundtrip(
 }
-
+TSTRING cBackslashCharEncoder::EncodeRoundtrip(TSTRING::const_iterator first, TSTRING::const_iterator last) const
 TSTRING cBackslashCharEncoder::EncodeRoundtrip( 
                                    TSTRING::const_iterator first, 
                                    TSTRING::const_iterator last ) const
 {
    // should just be a backslash
    ASSERT(IsSingleTCHAR(first, last));
@ -370,25 +346,19 @@ TSTRING cBackslashCharEncoder::EncodeRoundtrip(
 //////////////////////////////////////////////////////////////////////////////
-TSTRING cNonNarrowableCharEncoder::EncodePretty( 
+TSTRING cNonNarrowableCharEncoder::EncodePretty(TSTRING::const_iterator first, TSTRING::const_iterator last) const
                                    TSTRING::const_iterator first, 
                                    TSTRING::const_iterator last ) const
 {
    return EncodeRoundtrip(first, last);
 }
-TSTRING cNonPrintableCharEncoder::EncodePretty( 
+TSTRING cNonPrintableCharEncoder::EncodePretty(TSTRING::const_iterator first, TSTRING::const_iterator last) const
                                    TSTRING::const_iterator first, 
                                    TSTRING::const_iterator last ) const
 {
    return EncodeRoundtrip(first, last);
 }
-TSTRING cQuoteCharEncoder::EncodePretty( 
+TSTRING cQuoteCharEncoder::EncodePretty(TSTRING::const_iterator first, TSTRING::const_iterator last) const
                                    TSTRING::const_iterator first, 
                                    TSTRING::const_iterator last ) const
 {
    // should just be a quote
    ASSERT(IsSingleTCHAR(first, last));
@ -398,9 +368,7 @@ TSTRING cQuoteCharEncoder::EncodePretty(
 }
-TSTRING cBackslashCharEncoder::EncodePretty( 
+TSTRING cBackslashCharEncoder::EncodePretty(TSTRING::const_iterator first, TSTRING::const_iterator last) const
                                    TSTRING::const_iterator first, 
                                    TSTRING::const_iterator last ) const
 {
    // should just be a backslash
    ASSERT(IsSingleTCHAR(first, last));
@ -414,8 +382,7 @@ TSTRING cBackslashCharEncoder::EncodePretty(
 //////////////////////////////////////////////////////////////////////////////
-TSTRING cNonNarrowableCharEncoder::Decode(  TSTRING::const_iterator* pcur, 
+TSTRING cNonNarrowableCharEncoder::Decode(TSTRING::const_iterator* pcur, const TSTRING::const_iterator end) const
                                      const TSTRING::const_iterator  end  ) const
 {
    // check preconditions
    if ((*pcur) >= end || *(*pcur) != Identifier())
@ -425,8 +392,7 @@ TSTRING cNonNarrowableCharEncoder::Decode(  TSTRING::const_iterator* pcur,
 }
-TSTRING cNonPrintableCharEncoder::Decode(  TSTRING::const_iterator* pcur, 
+TSTRING cNonPrintableCharEncoder::Decode(TSTRING::const_iterator* pcur, const TSTRING::const_iterator end) const
                                     const TSTRING::const_iterator  end  ) const
 {
    // check preconditions
    if ((*pcur) >= end || *(*pcur) != Identifier())
@ -436,8 +402,7 @@ TSTRING cNonPrintableCharEncoder::Decode(  TSTRING::const_iterator* pcur,
 }
-TSTRING cQuoteCharEncoder::Decode(  TSTRING::const_iterator* pcur, 
+TSTRING cQuoteCharEncoder::Decode(TSTRING::const_iterator* pcur, const TSTRING::const_iterator end) const
                              const TSTRING::const_iterator  end  ) const
 {
    if ((*pcur) >= end || *(*pcur) != Identifier())
        ThrowAndAssert(eBadDecoderInput());
@ -448,8 +413,7 @@ TSTRING cQuoteCharEncoder::Decode(  TSTRING::const_iterator* pcur,
 }
-TSTRING cBackslashCharEncoder::Decode(  TSTRING::const_iterator* pcur, 
+TSTRING cBackslashCharEncoder::Decode(TSTRING::const_iterator* pcur, const TSTRING::const_iterator end) const
                                  const TSTRING::const_iterator  end  ) const
 {
    if ((*pcur) >= end || *(*pcur) != Identifier())
        ThrowAndAssert(eBadDecoderInput());
@ -492,11 +456,7 @@ TCHAR cBackslashCharEncoder::Identifier() const
 bool cCharEncoderUtil::IsWhiteSpace(TCHAR ch)
 {
-    return ( ch == '\r' ||
+    return (ch == '\r' || ch == '\n' || ch == '\t' || ch == '\v' || ch == ' ');
             ch == '\n' ||
             ch == '\t' ||
             ch == '\v' ||
             ch == ' ' );
 }
 bool cCharEncoderUtil::IsPrintable(TCHAR ch)
@ -507,11 +467,8 @@ bool cCharEncoderUtil::IsPrintable( TCHAR ch )
 #else // USE_CLIB_LOCALE
 #if IS_UNIX
    return (!std::isprint<TCHAR>(ch, std::locale()));
    #endif
 #endif // USE_CLIB_LOCALE
 }
@ -542,8 +499,7 @@ TSTRING cCharEncoderUtil::HexValueToCharString( const TSTRING& str )
    return strOut;
 }
-TCHAR cCharEncoderUtil::hex_to_char( TSTRING::const_iterator first, 
+TCHAR cCharEncoderUtil::hex_to_char(TSTRING::const_iterator first, TSTRING::const_iterator last)
                                     TSTRING::const_iterator last )
 {
    static const TCHAR max_char = std::numeric_limits<TCHAR>::max();
    static const TCHAR min_char = std::numeric_limits<TCHAR>::min();
@ -579,22 +535,17 @@ TSTRING cCharEncoderUtil::char_to_hex( TCHAR ch )
    ss << tss::util::char_to_size(ch);
-    if( ss.bad() || ss.fail() || 
+    if (ss.bad() || ss.fail() || ss.str().length() != TCHAR_AS_HEX__IN_TCHARS)
        ss.str().length() != TCHAR_AS_HEX__IN_TCHARS )
        ThrowAndAssert(eBadHexConversion(TSTRING(1, ch)));
    return ss.str();
 }
-TSTRING cCharEncoderUtil::DecodeHexToChar(  TSTRING::const_iterator* pcur, 
+TSTRING cCharEncoderUtil::DecodeHexToChar(TSTRING::const_iterator* pcur, const TSTRING::const_iterator end)
                                      const TSTRING::const_iterator  end  )
 {
    // get hex numbers -- 2 chars
    TSTRING str;
    size_t  n = 0;
-    for( (*pcur)++; 
+    for ((*pcur)++; n < TCHAR_AS_HEX__IN_TCHARS && (*pcur) != end; n++, (*pcur)++)
         n < TCHAR_AS_HEX__IN_TCHARS && 
             (*pcur) != end; 
         n++, (*pcur)++ )
    {
        str += *(*pcur);
    }
@ -611,8 +562,7 @@ TSTRING cCharEncoderUtil::DecodeHexToChar(  TSTRING::const_iterator* pcur,
 //////////////////////////////////////////////////////////////////////////////
-cEncoder::cEncoder( int e, int f )
+cEncoder::cEncoder(int e, int f) : m_fFlags(f)
    : m_fFlags( f )
 {
    // add encodings
    if (e & NON_NARROWABLE)
@ -625,14 +575,10 @@ cEncoder::cEncoder( int e, int f )
        m_encodings.push_back(new cQuoteCharEncoder);
    // assert that we weren't passed anything freaky
-    ASSERT( 0 == ( e & ~( NON_NARROWABLE | 
+    ASSERT(0 == (e & ~(NON_NARROWABLE | NON_PRINTABLE | BACKSLASH | DBL_QUOTE)));
                          NON_PRINTABLE | 
                          BACKSLASH | 
                          DBL_QUOTE ) ) );
    // add flags
-    ASSERT( ! ( ( m_fFlags & ROUNDTRIP ) &&
+    ASSERT(!((m_fFlags & ROUNDTRIP) && (m_fFlags & NON_ROUNDTRIP)));
                ( m_fFlags & NON_ROUNDTRIP ) ) );
 #ifdef TSS_DO_SCHEMA_VALIDATION
@ -640,12 +586,14 @@ cEncoder::cEncoder( int e, int f )
    ValidateSchema();
 #endif
 }
 cEncoder::~cEncoder()
 {
    sack_type::iterator itr;
    for (itr = m_encodings.begin(); itr != m_encodings.end(); ++itr)
        delete *itr;
 }
 bool cEncoder::RoundTrip() const
@ -679,9 +627,7 @@ void cEncoder::Encode( TSTRING& strIn ) const
        sack_type::const_iterator atE;
        // for all encoders
-        for( atE = m_encodings.begin(); 
+        for (atE = m_encodings.begin(); atE != m_encodings.end(); atE++)
             atE != m_encodings.end();
             atE++ )
        {
            // does char need encoding?
            if ((*atE)->NeedsEncoding(first, last))
@ -703,9 +649,8 @@ void cEncoder::Encode( TSTRING& strIn ) const
    strIn = strOut;
 }
-TSTRING cEncoder::Encode( TSTRING::const_iterator first,
+TSTRING
-                          TSTRING::const_iterator last,
+cEncoder::Encode(TSTRING::const_iterator first, TSTRING::const_iterator last, sack_type::const_iterator encoding) const
                          sack_type::const_iterator encoding ) const
 {
    // encode it
    if (RoundTrip())
@ -729,8 +674,7 @@ void cEncoder::Decode( TSTRING& strIn ) const
    while (cCharUtil::PopNextChar(cur, end, first, last))
    {
        // is this char the escape character?
-        if( IsSingleTCHAR( first, last ) && 
+        if (IsSingleTCHAR(first, last) && *first == iCharEncoder::EscapeChar())
            *first == iCharEncoder::EscapeChar() )
        {
            // get to identifier
            if (!cCharUtil::PopNextChar(cur, end, first, last))
@ -745,9 +689,7 @@ void cEncoder::Decode( TSTRING& strIn ) const
            // determine to which encoding the identifier belongs
            bool                      fFoundEncoding = false;
            sack_type::const_iterator atE;
-            for( atE = m_encodings.begin(); 
+            for (atE = m_encodings.begin(); atE != m_encodings.end(); atE++)
                 atE != m_encodings.end(); 
                 atE++ )
            {
                // is this the right encoding?
                if (*first == (*atE)->Identifier())
@ -813,8 +755,7 @@ bool cEncoder::OnlyOneCatagoryPerChar() const
                }
            }
            ch++;
-        }
+        } while (ch != std::numeric_limits<TCHAR>::max());
        while( ch != std::numeric_limits<TCHAR>::max() );
    }
    return true;
 }
@ -847,9 +788,7 @@ bool cEncoder::AllTestsRunOnEncodedString( const TSTRING& s ) const
    while (cCharUtil::PopNextChar(cur, end, first, last))
    {
        sack_type::const_iterator atE;
-        for( atE = m_encodings.begin(); 
+        for (atE = m_encodings.begin(); atE != m_encodings.end(); atE++)
             atE != m_encodings.end(); 
             atE++ )
        {
            if ((*atE)->NeedsEncoding(first, last))
            {
@ -867,14 +806,7 @@ bool cEncoder::AllTestsRunOnEncodedString( const TSTRING& s ) const
 //////////////////////////////////////////////////////////////////////////////
-cDisplayEncoder::cDisplayEncoder( Flags f )
+cDisplayEncoder::cDisplayEncoder(Flags f) : cEncoder(NON_NARROWABLE | NON_PRINTABLE | BACKSLASH | DBL_QUOTE, f)
    : cEncoder( 
                        NON_NARROWABLE  |
                        NON_PRINTABLE |
                        BACKSLASH | 
                        DBL_QUOTE,
                        f
                        ) 
 {
 }
@ -888,4 +820,3 @@ bool cDisplayEncoder::Decode( TSTRING& str ) const
    cEncoder::Decode(str);
    return true; // TODO:BAM -- throw error!
 }
--- a/src/core/displayencoder.h
+++ b/src/core/displayencoder.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -89,9 +89,8 @@ class cEncoder
 private:
    typedef std::vector<iCharEncoder*> sack_type;
-        TSTRING Encode( TSTRING::const_iterator first,
+    TSTRING
-                        TSTRING::const_iterator last,
+    Encode(TSTRING::const_iterator first, TSTRING::const_iterator last, sack_type::const_iterator encoding) const;
                        sack_type::const_iterator encoding ) const;
    bool RoundTrip() const;
    bool AllowWhiteSpace() const;
@ -128,11 +127,9 @@ class cDisplayEncoder : public cEncoder
 };
 class cCharEncoderUtil
 {
 public:
    static bool IsPrintable(TCHAR ch);
    static bool IsWhiteSpace(TCHAR ch);
@ -140,13 +137,11 @@ class cCharEncoderUtil
    static TSTRING HexValueToCharString(const TSTRING& str);
-        static TCHAR    hex_to_char( TSTRING::const_iterator first, 
+    static TCHAR hex_to_char(TSTRING::const_iterator first, TSTRING::const_iterator last);
                                          TSTRING::const_iterator last );
    static TSTRING char_to_hex(TCHAR ch);
-        static TSTRING  DecodeHexToChar(  TSTRING::const_iterator* pcur, 
+    static TSTRING DecodeHexToChar(TSTRING::const_iterator* pcur, const TSTRING::const_iterator end);
                                    const TSTRING::const_iterator  end  );
    enum
@ -241,4 +236,3 @@ typedef cDisplayEncoder_<TCHAR> cDisplayEncoder;
 #endif //__DISPLAYENCODER_H
 */
--- a/src/core/displayutil.cpp
+++ b/src/core/displayutil.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -96,5 +96,3 @@ TSTRING cDisplayUtil::FormatMultiLineString( const TSTRING& str, int nOffset, in
    return (sstr.str());
 }
 // eof: displayutil.cpp
--- a/src/core/displayutil.h
+++ b/src/core/displayutil.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -98,4 +98,3 @@ public:
 // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 #endif // #ifndef __DISPLAYUTIL_H
--- a/src/core/timebomb.cpp
+++ b/src/core/timebomb.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -30,44 +30,21 @@
 // info@tripwire.org or www.tripwire.org.
 //
 ///////////////////////////////////////////////////////////////////////////////
-// timebomb.h
+// epoch.h
 #include "stdcore.h"
-#include "timebomb.h"
+#include "epoch.h"
 #include <time.h>
 #include <iostream>
 #include "timeconvert.h"
 #include "corestrings.h"
 ///////////////////////////////////////////////////////////////////////////////
-// TimeBombExploded() -- Call from main(). Prints out timebomb message and
+bool CheckEpoch()
 //      returns true if main() should exit.
 //
 bool TimeBombExploded()
 {
 #if SIZEOF_TIME_T == 4
    struct tm time_struct;
    /*
    memset(&time_struct, 0, sizeof(time_struct));
    time_struct.tm_mday = 25;
    time_struct.tm_mon = 0;
    time_struct.tm_year = 99;
    int64 begin = cTimeUtil::DateToTime( &time_struct );
    memset(&time_struct, 0, sizeof(time_struct));
    time_struct.tm_mday = 1;
    time_struct.tm_mon = 4;
    time_struct.tm_year = 99;
    int64 end = cTimeUtil::DateToTime( &time_struct );
    int64 now = time(0);
    if (now < begin || now > end)
    {
        std::cerr << "This beta version of Tripwire(R) has expired.\n";
        return true;
    }
    */
    // Many functions will fail as we approach the end of the epoch
    // Rather than crashing, we will exit with a nice message
    memset(&time_struct, 0, sizeof(time_struct));
@ -83,5 +60,7 @@ bool TimeBombExploded()
    }
    return false;
 #else
    return false;
 #endif
 }
--- a/src/core/timebomb.h
+++ b/src/core/timebomb.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -30,16 +30,15 @@
 // info@tripwire.org or www.tripwire.org.
 //
 ///////////////////////////////////////////////////////////////////////////////
-// timebomb.h
+// epoch.h
-#ifndef __TIMEBOMB_H
+#ifndef __EPOCH_H
-#define __TIMEBOMB_H
+#define __EPOCH_H
 ///////////////////////////////////////////////////////////////////////////////
-// TimeBombExploded() -- Call from main(). Prints out timebomb message and
+// CheckEpoch() -- Call from main(). Prints out timebomb message and
 //      returns true if main() should exit.
 //
-bool TimeBombExploded();
+bool CheckEpoch();
 #endif
--- a/src/core/error.cpp
+++ b/src/core/error.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -47,5 +47,3 @@ uint32 eError::CalcHash( const char* name )
    crcFinit(crc);
    return crc.crc;
 }
--- a/src/core/error.h
+++ b/src/core/error.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -42,7 +42,6 @@
 class eError
 {
 public:
    //-------------------------------------------------------------------------
    // Construction and Assignment
    //-------------------------------------------------------------------------
@ -138,19 +137,24 @@ protected:
    class except : public base                                             \
    {                                                                      \
    public:                                                                \
-        except( const TSTRING& msg, uint32 flags = 0 ) \
+        except(const TSTRING& msg, uint32 flags = 0) : base(msg, flags)    \
-        : base( msg, flags ) {} \
+        {                                                                  \
-        TSS_BEGIN_EXCEPTION_EXPLICIT except( const except& rhs ) \
+        }                                                                  \
-        : base( rhs ) {} \
+        TSS_BEGIN_EXCEPTION_EXPLICIT except(const except& rhs) : base(rhs) \
-        explicit except() : base() {} \
+        {                                                                  \
        }                                                                  \
        explicit except() : base()                                         \
        {                                                                  \
        }                                                                  \
                                                                           \
        virtual uint32 GetID() const                                       \
        {                                                                  \
            return CalcHash(#except);                                      \
-        }\
+        }
 #define TSS_END_EXCEPTION() \
-    };
+    }                       \
    ;
 ///////////////////////////////////////////////////////////////////////////////
 // TSS_BEGIN_EXCEPTION_NO_CTOR
@ -161,12 +165,14 @@ protected:
    class except : public base                    \
    {                                             \
    public:                                       \
-        explicit except() : base() {} \
+        explicit except() : base()                \
        {                                         \
        }                                         \
                                                  \
        virtual uint32 GetID() const              \
        {                                         \
            return CalcHash(#except);             \
-        }\
+        }
 ///////////////////////////////////////////////////////////////////////////////
 // TSS_EXCEPTION
@ -189,31 +195,22 @@ protected:
 ///////////////////////////////////////////////////////////////////////////////
 // eError
 ///////////////////////////////////////////////////////////////////////////////
-inline eError::eError( const TSTRING& msg, uint32 flags )
+inline eError::eError(const TSTRING& msg, uint32 flags) : mMsg(msg), mFlags(flags)
 :   mMsg    ( msg ),
    mFlags  ( flags )
 {
 }
 ///////////////////////////////////////////////////////////////////////////////
 // eError
 ///////////////////////////////////////////////////////////////////////////////
-inline eError::eError( const eError& rhs )
+inline eError::eError(const eError& rhs) : mMsg(rhs.mMsg), mFlags(rhs.mFlags)
 :   mMsg    ( rhs.mMsg ),
    mFlags  ( rhs.mFlags )
 {
 }
 ///////////////////////////////////////////////////////////////////////////////
 // eError
 ///////////////////////////////////////////////////////////////////////////////
-inline eError::eError( )
+inline eError::eError() : mMsg(_T("")), mFlags(0)
 :   mMsg    ( _T("") ),
    mFlags  ( 0 )
 {
 }
@ -231,7 +228,6 @@ inline void eError::operator=( const eError& rhs )
 ///////////////////////////////////////////////////////////////////////////////
 inline eError::~eError()
 {
 }
 ///////////////////////////////////////////////////////////////////////////////
@ -275,7 +271,6 @@ inline void eError::SetFatality(bool fatal)
 inline bool eError::IsFatal() const
 {
    return (mFlags & (uint32)NON_FATAL) == 0;
 }
 ///////////////////////////////////////////////////////////////////////////////
@ -298,6 +293,4 @@ inline bool eError::SupressThird() const
 }
 #endif //__ERROR_H
--- a/src/core/errorbucket.h
+++ b/src/core/errorbucket.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -57,7 +57,9 @@ class cErrorBucket
 {
 public:
    cErrorBucket();
-    virtual ~cErrorBucket() {}
+    virtual ~cErrorBucket()
    {
    }
    virtual void AddError(const eError& error);
    // add an error to the bucket
@ -81,8 +83,7 @@ protected:
 ///////////////////
 // cErrorBucket
 ///////////////////
-inline cErrorBucket::cErrorBucket() :
+inline cErrorBucket::cErrorBucket() : mpChild(0)
    mpChild(0)
 {
 }
@ -99,4 +100,3 @@ inline cErrorBucket* cErrorBucket::SetChild(cErrorBucket* pNewChild)
 }
 #endif
--- a/src/core/errorbucketimpl.cpp
+++ b/src/core/errorbucketimpl.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -52,9 +52,7 @@ void cErrorBucket::AddError(const eError& error)
 //#############################################################################
 void cErrorReporter::PrintErrorMsg(const eError& error, const TSTRING& strExtra)
 {
-    cDisplayEncoder e( 
+    cDisplayEncoder e((cDisplayEncoder::Flags)(cDisplayEncoder::NON_ROUNDTRIP | cDisplayEncoder::ALLOW_WHITESPACE));
            (cDisplayEncoder::Flags) ( cDisplayEncoder::NON_ROUNDTRIP | 
                                       cDisplayEncoder::ALLOW_WHITESPACE ) );
    TSTRING         errStr;
    //
@ -74,8 +72,7 @@ void cErrorReporter::PrintErrorMsg(const eError& error, const TSTRING& strExtra)
        return;
    // "First Part" header
-    errStr = TSS_GetString( cCore, error.IsFatal() ? core::STR_ERROR_ERROR 
+    errStr = TSS_GetString(cCore, error.IsFatal() ? core::STR_ERROR_ERROR : core::STR_ERROR_WARNING);
                                                   : core::STR_ERROR_WARNING );
    if (errStr.empty())
    {
@ -136,7 +133,8 @@ void cErrorReporter::PrintErrorMsg(const eError& error, const TSTRING& strExtra)
                    break;
                }
-                TSTRING::size_type lastSpace = currentStr.find_last_of(SPACE, currentStr.length() >= WIDTH - 1 ? WIDTH - 1 : TSTRING::npos);
+                TSTRING::size_type lastSpace =
                    currentStr.find_last_of(SPACE, currentStr.length() >= WIDTH - 1 ? WIDTH - 1 : TSTRING::npos);
                if (lastSpace == TSTRING::npos)
                {
                    // can't find space to break at so this string will just have to be longer than screen width.
@ -148,15 +146,11 @@ void cErrorReporter::PrintErrorMsg(const eError& error, const TSTRING& strExtra)
                        lastSpace = currentStr.length();
                }
-                TCERR << TSS_GetString( cCore, core::STR_ERROR_HEADER )
+                TCERR << TSS_GetString(cCore, core::STR_ERROR_HEADER) << currentStr.substr(0, lastSpace) << std::endl;
                      << currentStr.substr( 0, lastSpace )
                      << std::endl;
                currentStr.erase(0, lastSpace + 1);
-            }
+            } while (!currentStr.empty());
-            while ( !currentStr.empty() );
+        } while (!errStr.empty());
        }
        while ( !errStr.empty() );
    }
    // "Third Part" print 'exiting' or 'continuing'
@ -165,11 +159,8 @@ void cErrorReporter::PrintErrorMsg(const eError& error, const TSTRING& strExtra)
    if ((error.GetFlags() & eError::SUPRESS_THIRD_MSG) == 0)
    {
        TCERR << TSS_GetString(cCore, core::STR_ERROR_HEADER)
-              << TSS_GetString( 
+              << TSS_GetString(cCore, error.IsFatal() ? core::STR_ERROR_EXITING : core::STR_ERROR_CONTINUING)
-                    cCore,
+              << std::endl;
                    error.IsFatal()
                        ? core::STR_ERROR_EXITING 
                        : core::STR_ERROR_CONTINUING ) << std::endl;
    }
 }
@ -185,9 +176,7 @@ void cErrorTracer::HandleError(const eError& error)
 {
    cDebug d("cErrorTracer::HandleError");
-    d.TraceError(   _T("%s : %s\n"), 
+    d.TraceError(_T("%s : %s\n"), cErrorTable::GetInstance()->Get(error.GetID()).c_str(), error.GetMsg().c_str());
                    cErrorTable::GetInstance()->Get( error.GetID() ).c_str(), 
                    error.GetMsg().c_str() );
 }
 //#############################################################################
@ -210,14 +199,12 @@ void cErrorQueue::HandleError(const eError& error)
    mList.push_back(ePoly(error));
 }
-cErrorQueueIter::cErrorQueueIter(cErrorQueue& queue) :
+cErrorQueueIter::cErrorQueueIter(cErrorQueue& queue) : mList(queue.mList)
    mList(queue.mList)
 {
    SeekBegin();
 }
-cErrorQueueIter::cErrorQueueIter(const cErrorQueue& queue)
+cErrorQueueIter::cErrorQueueIter(const cErrorQueue& queue) : mList(((cErrorQueue*)&queue)->mList)
 :   mList( ((cErrorQueue*)&queue)->mList )
 {
    SeekBegin();
 }
@ -267,7 +254,6 @@ void cErrorQueue::Read(iSerializer* pSerializer, int32 version)
        mList.push_back(ePoly(errorNumber, errorString, flags));
    }
 }
 ///////////////////////////////////////////////////////////////////////////////
@ -283,7 +269,6 @@ void cErrorQueue::Write(iSerializer* pSerializer) const
        pSerializer->WriteString((*i).GetMsg());
        pSerializer->WriteInt32((*i).GetFlags());
    }
 }
@ -303,4 +288,3 @@ void cErrorQueue::TraceContents(int dl) const
        d.Trace(dl, _T("Error[%d]: num = %x string = %s\n"), counter, (*i).GetID(), (*i).GetMsg().c_str());
    }
 }
--- a/src/core/errorbucketimpl.h
+++ b/src/core/errorbucketimpl.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -100,6 +100,7 @@ protected:
 class cErrorQueue : public cErrorBucket, public iTypedSerializable
 {
    friend class cErrorQueueIter;
 public:
    void Clear();
    // remove all errors from the queue
@ -119,6 +120,7 @@ public:
 protected:
    virtual void HandleError(const eError& error);
 private:
    typedef std::list<ePoly> ListType;
    ListType                 mList;
@ -131,7 +133,9 @@ class cErrorQueueIter
 public:
    cErrorQueueIter(cErrorQueue& queue);
    cErrorQueueIter(const cErrorQueue& queue);
-    ~cErrorQueueIter() {}
+    ~cErrorQueueIter()
    {
    }
    // iteration methods
    void SeekBegin();
@ -153,9 +157,14 @@ private:
 //////////////////////////////////////////////////////
 class cErrorBucketNull : public cErrorBucket
 {
-    virtual void AddError(const eError& ) {}
+    virtual void AddError(const eError&)
    {
    }
 protected:
-    virtual void HandleError(const eError& ) {}
+    virtual void HandleError(const eError&)
    {
    }
 };
 //////////////////////////////////////////////////////
@ -165,10 +174,10 @@ protected:
 class cErrorBucketPassThru : public cErrorBucket
 {
 protected:
-    virtual void HandleError(const eError& ) {}
+    virtual void HandleError(const eError&)
    {
    }
 };
 #endif
--- a/src/core/errorgeneral.h
+++ b/src/core/errorgeneral.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -46,4 +46,3 @@ TSS_EXCEPTION( eBadCmdLine,     eErrorGeneral );
 TSS_EXCEPTION(eBadModeSwitch, eErrorGeneral);
 #endif //#ifndef __ERRORGENERAL_H
--- a/src/core/errortable.cpp
+++ b/src/core/errortable.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -35,7 +35,7 @@
 #include "stdcore.h"
 #include "errortable.h"
-#ifdef _DEBUG
+#ifdef DEBUG
 #include "package.h"
 #include "corestrings.h"
 #endif
@ -52,7 +52,7 @@ cErrorTable* cErrorTable::GetInstance()
 ///////////////////////////////////////////////////////////////////////////////
 // AssertMsgValidity
 ///////////////////////////////////////////////////////////////////////////////
-#ifdef _DEBUG
+#ifdef DEBUG
 void cErrorTable::AssertMsgValidity(const TCHAR* msg)
 {
    // Check to see that the first part of this error message is not too long.
@ -72,10 +72,10 @@ void cErrorTable::AssertMsgValidity(const TCHAR* msg)
    // Sunpro got stuck in an infinite loop when we called GetString from this func;
    TSTRING::size_type errorSize   = 9;
    TSTRING::size_type warningSize = 10;
-    TSTRING::size_type maxHeaderSize = (errorSize > warningSize ? errorSize : warningSize) + 6; // Add 6 to account for "### ' and ': '
+    TSTRING::size_type maxHeaderSize =
        (errorSize > warningSize ? errorSize : warningSize) + 6; // Add 6 to account for "### ' and ': '
 #    endif
    ASSERT(maxHeaderSize + errSize < 80);
 }
 #endif
--- a/src/core/errortable.h
+++ b/src/core/errortable.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -66,14 +66,14 @@ public:
    static cErrorTable* GetInstance();
 private:
-    #ifdef _DEBUG
+#ifdef DEBUG
    static void AssertMsgValidity(const TCHAR* msg);
 #endif
 };
 inline void cErrorTable::Put(const eError& e, const TCHAR* msg)
 {
-    #ifdef _DEBUG
+#ifdef DEBUG
    AssertMsgValidity(msg);
 #endif
@ -113,12 +113,9 @@ inline void cErrorTable::Put( const eError& e, const TCHAR* msg )
        RegisterErrors##pkgName::RegisterErrors##pkgName() \
        {
-#define TSS_REGISTER_ERROR( err, str ) \
+#    define TSS_REGISTER_ERROR(err, str) cErrorTable::GetInstance()->Put(err, str);
        cErrorTable::GetInstance()->Put \
            ( err, str );
-#define TSS_END_ERROR_REGISTRATION() \
+#    define TSS_END_ERROR_REGISTRATION() }
    } 
 //===================
 // h file macros
@ -132,9 +129,7 @@ inline void cErrorTable::Put( const eError& e, const TCHAR* msg )
 //===================
 // package init macros
 //===================
-#define TSS_REGISTER_PKG_ERRORS( pkgName ) \
+#    define TSS_REGISTER_PKG_ERRORS(pkgName) RegisterErrors##pkgName register##pkgName;
    RegisterErrors##pkgName register##pkgName;
 #endif //__ERRORTABLE_H
--- a/src/core/errorutil.cpp
+++ b/src/core/errorutil.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -40,28 +40,23 @@
 // class eInternal
 //=============================================================================
 #if IS_UNIX
 namespace //unique
 {
-    TCHAR* tw_itot( int value, TCHAR* string, int radix)
+TCHAR* tw_itot(int value, TCHAR* string, int radix, int size)
 {
-        _stprintf( string, "%d", value );
+    snprintf(string, size, "%d", value);
    return string;
 }
-}
+} // namespace
 #else
  #define tw_itot _itot
 #endif //IS_UNIX
-eInternal::eInternal(TCHAR* sourceFile, int lineNum)
+eInternal::eInternal(TCHAR* sourceFile, int lineNum) : eError(_T(""))
 :   eError(_T(""))
 {
    TCHAR buf[256];
    mMsg = _T("File: ");
    mMsg += sourceFile;
    mMsg += _T(" Line: ");
-    mMsg += tw_itot(lineNum, buf, 10);
+    mMsg += tw_itot(lineNum, buf, 10, 256);
 }
 //=============================================================================
@ -85,4 +80,3 @@ TSTRING cErrorUtil::MakeFileError( const TSTRING& msg, const TSTRING& fileName )
    return ret;
 }
--- a/src/core/errorutil.h
+++ b/src/core/errorutil.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -108,7 +108,11 @@ public:
 // TODO: ASSERT is always fatal in Unix, perhaps we could #ifdef the ASSERT
 //      to echo to cout the line number the exception occured at?
-#define ThrowAndAssert(exception) { ASSERT(false); throw exception; }
+#define ThrowAndAssert(exception) \
    {                             \
        ASSERT(false);            \
        throw exception;          \
    }
 //-----------------------------------------------------------------------------
@ -118,11 +122,8 @@ public:
 ///////////////////////////////////////////////////////////////////////////////
 // ePoly
 ///////////////////////////////////////////////////////////////////////////////
-inline ePoly::ePoly( uint32 id, const TSTRING& msg, uint32 flags )
+inline ePoly::ePoly(uint32 id, const TSTRING& msg, uint32 flags) : eError(msg, flags), mID(id)
 :   eError( msg, flags ),
    mID( id )
 {
 }
 ///////////////////////////////////////////////////////////////////////////////
@ -136,11 +137,8 @@ inline ePoly::ePoly( const eError& rhs )
 ///////////////////////////////////////////////////////////////////////////////
 // ePoly
 ///////////////////////////////////////////////////////////////////////////////
-inline ePoly::ePoly()
+inline ePoly::ePoly() : eError(_T("")), mID(0)
 :   eError( _T("") ),
    mID( 0 )
 {
 }
 ///////////////////////////////////////////////////////////////////////////////
@ -170,4 +168,3 @@ inline void ePoly::SetID( uint32 id )
 }
 #endif //__ERRORUTIL_H
--- a/src/core/file.h
+++ b/src/core/file.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -74,12 +74,7 @@ struct cFile_i;
 class cFile
 {
 public:
 #if IS_UNIX
    typedef off_t File_t;
 #else //WIN32
    typedef int64 File_t;
 #endif // IS_UNIX
    enum SeekFrom
    {
@ -93,8 +88,10 @@ public:
        // note that reading from the file is implicit
        OPEN_READ  = 0x00000001, // not needed, but makes calls nice...
        OPEN_WRITE = 0x00000002, // we will be writing to the file
-            OPEN_LOCKED_TEMP   = 0x00000004,    // the file should not be readable by other processes and should be removed when closed
+        OPEN_LOCKED_TEMP =
-            OPEN_TRUNCATE      = 0x00000008,    // opens an empty file. creates it if it doesn't exist. Doesn't make much sense without OF_WRITE
+            0x00000004, // the file should not be readable by other processes and should be removed when closed
        OPEN_TRUNCATE =
            0x00000008, // opens an empty file. creates it if it doesn't exist. Doesn't make much sense without OF_WRITE
        OPEN_CREATE    = 0x00000010, // create the file if it doesn't exist; this is implicit if OF_TRUNCATE is set
        OPEN_TEXT      = 0x00000020,
        OPEN_EXCLUSIVE = 0x00000040, // Use O_CREAT | O_EXCL
@ -143,15 +140,48 @@ public:
 };
-#if USES_DEVICE_PATH
+class cDosPath
 class cDevicePath
 {
 public:
    static TSTRING AsPosix(const TSTRING& in);
    static TSTRING AsNative(const TSTRING& in);
    static bool    IsAbsolutePath(const TSTRING& in);
    static TSTRING BackupName(const TSTRING& in);
 };
 class cArosPath
 {
 public:
    static TSTRING AsPosix(const TSTRING& in);
    static TSTRING AsNative(const TSTRING& in);
    static bool    IsAbsolutePath(const TSTRING& in);
 };
 class cRiscosPath
 {
 public:
    static TSTRING AsPosix(const TSTRING& in);
    static TSTRING AsNative(const TSTRING& in);
    static bool    IsAbsolutePath(const TSTRING& in);
 };
 class cRedoxPath
 {
 public:
    static TSTRING AsPosix(const TSTRING& in);
    static TSTRING AsNative(const TSTRING& in);
    static bool    IsAbsolutePath(const TSTRING& in);
 };
 #    if IS_DOS_DJGPP
 #        define cDevicePath cDosPath
 #    elif IS_AROS
 #        define cDevicePath cArosPath
 #    elif IS_RISCOS
 #        define cDevicePath cRiscosPath
 #    elif IS_REDOX
 #        define cDevicePath cRedoxPath
 #    endif
 #endif //__FILE_H
--- a/src/core/file_unix.cpp
+++ b/src/core/file_unix.cpp
@ -1,6 +1,6 @@
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -62,6 +62,10 @@
 #include "core/fsservices.h"
 #include "core/errorutil.h"
 #if IS_RISCOS
 #include <unixlib/local.h>
 #endif
 ///////////////////////////////////////////////////////////////////////////
 // cFile_i : Insulated implementation for cFile objects.
 ///////////////////////////////////////////////////////////////////////////
@ -78,18 +82,19 @@ struct cFile_i
 };
 //Ctor
-cFile_i::cFile_i() :
+cFile_i::cFile_i() : m_fd(-1), mpCurrStream(NULL), mFlags(0)
-    mpCurrStream(NULL)
+{
-{}
+}
 //Dtor
 cFile_i::~cFile_i()
 {
    if (mpCurrStream != NULL)
    {
        fclose(mpCurrStream);
        mpCurrStream = NULL;
-#if IS_AROS
+#if !CAN_UNLINK_WHILE_OPEN // so unlink after close instead
        if (mFlags & cFile::OPEN_LOCKED_TEMP)
        {
            // unlink this file
@ -99,8 +104,7 @@ cFile_i::~cFile_i()
            }
        }
 #endif
-
+    }
    mFileName.empty();
 }
 ///////////////////////////////////////////////////////////////////////////
@ -109,8 +113,7 @@ cFile_i::~cFile_i()
 ///////////////////////////////////////////////////////////////////////////
 ///////////////////////////////////////////////////////////////////////////
-cFile::cFile() :
+cFile::cFile() : mpData(NULL), isWritable(false)
    mpData(NULL), isWritable(false)
 {
    mpData = new cFile_i;
 }
@ -170,7 +173,8 @@ void cFile::Open( const TSTRING& sFileNameC, uint32 flags )
        mode       = _T("rb");
    }
-    if (flags & OPEN_EXCLUSIVE) {
+    if (flags & OPEN_EXCLUSIVE)
    {
        perm |= O_CREAT | O_EXCL;
        openmode = (mode_t)0600; // Make sure only root can read the file
    }
@ -205,7 +209,7 @@ void cFile::Open( const TSTRING& sFileNameC, uint32 flags )
    }
    mpData->m_fd = fh;
-#if !IS_AROS
+#if CAN_UNLINK_WHILE_OPEN
    if (flags & OPEN_LOCKED_TEMP)
    {
        // unlink this file
@ -253,7 +257,6 @@ void cFile::Open( const TSTRING& sFileNameC, uint32 flags )
            ioctl(fh, VX_SETCACHE, VX_SEQ | VX_NOREUSE);
    }
 #endif
 }
@ -322,7 +325,7 @@ cFile::File_t cFile::Seek( File_t offset, SeekFrom From) const //throw(eFile)
    if (fseeko(mpData->mpCurrStream, offset, apiFrom) != 0)
    {
-        #ifdef _DEBUG
+#ifdef DEBUG
        cDebug d("cFile::Seek");
        d.TraceDebug("Seek failed!\n");
 #endif
@ -347,14 +350,19 @@ cFile::File_t cFile::Read( void* buffer, File_t nBytes ) const //throw(eFile)
    if (nBytes == 0)
        return 0;
-    if (mpData->mFlags & OPEN_DIRECT) {
+    if (mpData->mFlags & OPEN_DIRECT)
    {
        iBytesRead = read(mpData->m_fd, buffer, nBytes);
-        if (iBytesRead<0) {
+        if (iBytesRead < 0)
        {
            throw eFileRead(mpData->mFileName, iFSServices::GetInstance()->GetErrString());
        }
-    } else { 
+    }
    else
    {
        iBytesRead = fread(buffer, sizeof(byte), nBytes, mpData->mpCurrStream);
-        if( ferror( mpData->mpCurrStream ) != 0 ) {
+        if (ferror(mpData->mpCurrStream) != 0)
        {
            throw eFileRead(mpData->mFileName, iFSServices::GetInstance()->GetErrString());
        }
    }
@ -449,31 +457,46 @@ void cFile::Truncate( File_t offset ) // throw(eFile)
 }
-#if USES_DEVICE_PATH
+/////////////////////////////////////////////////////////////////////////
-// For paths of type DH0:/dir/file
+// Platform path conversion methods
-TSTRING cDevicePath::AsPosix( const TSTRING& in )
+/////////////////////////////////////////////////////////////////////////
 bool cDosPath::IsAbsolutePath(const TSTRING& in)
 {
    if (in.empty())
        return false;
    if (in[0] == '/')
        return true;
    if (in.length() >= 2 && in[1] == ':')
        return true;
    return false;
 }
 // For paths of type C:\DOS
 TSTRING cDosPath::AsPosix(const TSTRING& in)
 {
    if (in[0] == '/')
    {
        return in;
    }
-#if IS_DOS_DJGPP
+    TSTRING out = (cDosPath::IsAbsolutePath(in)) ? ("/dev/" + in) : in;
    TSTRING out = "/dev/" + in;
    std::replace(out.begin(), out.end(), '\\', '/');
-#else
+    out.erase(std::remove(out.begin(), out.end(), ':'), out.end());
    TSTRING out = '/' + in;
 #endif
    std::replace(out.begin(), out.end(), ':', '/');
    return out;
 }
-TSTRING cDevicePath::AsNative( const TSTRING& in )
+TSTRING cDosPath::AsNative(const TSTRING& in)
 {
    if (in[0] != '/')
    {
        return in;
    }
 #if IS_DOS_DJGPP
    if (in.find("/dev") != 0 || in.length() < 6)
        return in;
@ -483,17 +506,180 @@ TSTRING cDevicePath::AsNative( const TSTRING& in )
    if (in.length() >= 8)
        out.append(in.substr(7));
    std::replace(out.begin(), out.end(), '/', '\\');
    return out;
 }
-#elif IS_AROS
+TSTRING cDosPath::BackupName(const TSTRING& in)
-    int x = 1;
+{
-    for ( x; in[x] == '/' && x<in.length(); x++);
+    TSTRING                out = in;
    std::string::size_type pos = out.find_last_of("\\");
    if (std::string::npos == pos)
        return in;
-    TSTRING out = in.substr(x); 
+    TSTRING path = in.substr(0, pos);
    TSTRING name = in.substr(pos, 9);
    std::replace(name.begin(), name.end(), '.', '_');
    path.append(name);
    return path;
 }
 /////////////////////////////////////////////////////////////////////////
 bool cArosPath::IsAbsolutePath(const TSTRING& in)
 {
    if (in.empty())
        return false;
    if (in[0] == '/')
        return true;
    if (in.find(":") != std::string::npos)
        return true;
    return false;
 }
 // For paths of type DH0:dir/file
 TSTRING cArosPath::AsPosix(const TSTRING& in)
 {
    if (in[0] == '/')
    {
        return in;
    }
    TSTRING out = IsAbsolutePath(in) ? '/' + in : in;
    std::replace(out.begin(), out.end(), ':', '/');
    return out;
 }
 TSTRING cArosPath::AsNative(const TSTRING& in)
 {
    if (in[0] != '/')
    {
        return in;
    }
    std::string::size_type drive = in.find_first_not_of("/");
    TSTRING                out   = (drive != std::string::npos) ? in.substr(drive) : in;
    TSTRING::size_type     t     = out.find_first_of('/');
    if (t != std::string::npos)
        out[t] = ':';
    else
        out.append(":");
    return out;
 }
 /////////////////////////////////////////////////////////////////////////
 bool cRiscosPath::IsAbsolutePath(const TSTRING& in)
 {
    if (in.empty())
        return false;
    if (in[0] == '/')
        return true;
    if (in.find("$") != std::string::npos)
        return true;
    return false;
 }
 // For paths of type SDFS::Volume.$.dir.file
 TSTRING cRiscosPath::AsPosix(const TSTRING& in)
 {
 #if IS_RISCOS
    if (in[0] == '/')
    {
        return in;
    }
    TSTRING out;
    char*   unixified = __unixify(in.c_str(), 0, 0, 0, 0);
    if (unixified)
    {
        out.assign(unixified);
        free(unixified);
        return out;
    }
    return in;
 #else
    return in;
 #endif
 }
 TSTRING cRiscosPath::AsNative(const TSTRING& in)
 {
 #if IS_RISCOS
    if (in[0] != '/')
    {
        return in;
    }
    TSTRING           out;
    int               buf_size = in.length() + 100; // examples pad by 100
    std::vector<char> buf(buf_size);
    __riscosify(in.c_str(), 0, 0, &buf[0], buf_size, 0);
    if (buf[0])
    {
        out.assign(&buf[0]);
        return out;
    }
    return in;
 #else
    return in;
 #endif
 }
 /////////////////////////////////////////////////////////////////////////
 bool cRedoxPath::IsAbsolutePath(const TSTRING& in)
 {
    if (in.empty())
        return false;
    if (in[0] == '/')
        return true;
    if (in.find(":") != std::string::npos)
        return true;
    return false;
 }
 // For paths of type file:/dir/file
 TSTRING cRedoxPath::AsPosix(const TSTRING& in)
 {
    if (in[0] == '/')
    {
        return in;
    }
    TSTRING                out   = IsAbsolutePath(in) ? '/' + in : in;
    std::string::size_type colon = out.find_first_of(":");
    if (colon != std::string::npos)
        out.erase(colon, 1);
    return out;
 }
 TSTRING cRedoxPath::AsNative(const TSTRING& in)
 {
    if (in[0] != '/')
    {
        return in;
    }
    std::string::size_type drive = in.find_first_not_of("/");
    TSTRING                out   = (drive != std::string::npos) ? in.substr(drive) : in;
    TSTRING::size_type     slash = out.find_first_of('/');
    if (slash != std::string::npos)
        out.insert(slash, ":");
    else
        out.append(":/");
    return out;
 }
--- a/src/core/fileerror.cpp
+++ b/src/core/fileerror.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -37,8 +37,7 @@
 #include "corestrings.h"
 // TODO: Make this use MakeFileError() for consistency
-eFileError::eFileError( const TSTRING& filename, const TSTRING& description, uint32 flags )
+eFileError::eFileError(const TSTRING& filename, const TSTRING& description, uint32 flags) : eError(_T(""), flags)
 :   eError( _T(""), flags )
 {
    mFilename = filename;
    mMsg      = description;
@ -73,4 +72,3 @@ TSTRING eFileError::GetDescription() const
    return ret;
 }
--- a/src/core/fileerror.h
+++ b/src/core/fileerror.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -58,10 +58,13 @@ private:
 public:
 eFileError(const TSTRING& filename, const TSTRING& description, uint32 flags = 0);
-    explicit eFileError( const eFileError& rhs )
+explicit eFileError(const eFileError& rhs) : eError(rhs)
-        : eError( rhs ) { mFilename = rhs.mFilename; }
+{
-    eFileError( const TSTRING& msg, uint32 flags = 0 )
+    mFilename = rhs.mFilename;
-        : eError( msg, flags ) {}
+}
 eFileError(const TSTRING& msg, uint32 flags = 0) : eError(msg, flags)
 {
 }
 TSTRING         GetFilename() const;
@ -72,9 +75,9 @@ TSS_END_EXCEPTION()
 #    define TSS_FILE_EXCEPTION(except, base)                                                               \
        TSS_BEGIN_EXCEPTION(except, base)                                                                  \
-    except( const TSTRING& filename, const TSTRING& msg, uint32 flags = 0 ) \
+        except(const TSTRING& filename, const TSTRING& msg, uint32 flags = 0) : base(filename, msg, flags) \
-    : base( filename, msg, flags ) {} \
+        {                                                                                                  \
        }                                                                                                  \
        TSS_END_EXCEPTION()
 #endif
--- a/src/core/fileheader.cpp
+++ b/src/core/fileheader.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -79,9 +79,7 @@ void cFileHeaderID::operator=( const cFileHeaderID& rhs )
 int cFileHeaderID::operator==(const cFileHeaderID& rhs) const
 {
-    return 
+    return (mIDLen == rhs.mIDLen) && (::memcmp(mID, rhs.mID, mIDLen * sizeof(char)) == 0);
        ( mIDLen == rhs.mIDLen ) &&
        ( ::memcmp( mID, rhs.mID, mIDLen * sizeof(char) ) == 0 );
 }
 void cFileHeaderID::Read(iSerializer* pSerializer, int32 /*version*/) // throw (eSerializer, eArchive)
@ -108,10 +106,9 @@ void cFileHeaderID::Write(iSerializer* pSerializer) const // throw (eSerializer,
 ///////////////////////////////////////////////////////////////////////////////
 // class cFileHeader
-cFileHeader::cFileHeader()
+cFileHeader::cFileHeader() : mVersion(0)
 :   mVersion(0)
 {
-#ifdef _DEBUG
+#ifdef DEBUG
    mEncoding = LAST_ENCODING; // set to invalid value so we can assert on write
 #else
    mEncoding = NO_ENCODING;
@ -119,20 +116,14 @@ cFileHeader::cFileHeader()
 }
 cFileHeader::cFileHeader(const cFileHeader& rhs)
-:   iSerializable(),
+    : iSerializable(), mID(rhs.mID), mVersion(rhs.mVersion), mEncoding(rhs.mEncoding)
    mID(rhs.mID),
    mVersion(rhs.mVersion),
    mEncoding(rhs.mEncoding)
 {
    if (rhs.mBaggage.Length() > 0)
    {
        mBaggage.MapArchive(0, rhs.mBaggage.Length());
        rhs.mBaggage.MapArchive(0, rhs.mBaggage.Length());
-        ::memcpy(
+        ::memcpy(mBaggage.GetMap(), rhs.mBaggage.GetMap(), static_cast<size_t>(rhs.mBaggage.Length()));
            mBaggage.GetMap(),
            rhs.mBaggage.GetMap(),
            static_cast<size_t>( rhs.mBaggage.Length() ) ); 
        mBaggage.MapArchive(0, 0);
        rhs.mBaggage.MapArchive(0, 0);
@ -213,7 +204,7 @@ void cFileHeader::Read(iSerializer* pSerializer, int32 /*version*/) // throw (eS
 void cFileHeader::Write(iSerializer* pSerializer) const // throw (eSerializer, eArchive)
 {
-#ifdef _DEBUG
+#ifdef DEBUG
    // check that we set some values
    cFileHeaderID id;
    ASSERT(mID != id);
@ -250,4 +241,3 @@ void cFileHeader::Write(iSerializer* pSerializer) const // throw (eSerializer, e
        pSerializer->WriteBlob(mBaggage.GetMap(), len);
    }
 }
--- a/src/core/fileheader.h
+++ b/src/core/fileheader.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -70,7 +70,10 @@ private:
    // the program is the only person who will see them.
    int16 mIDLen;
-    enum { MAXBYTES = 256 };
+    enum
    {
        MAXBYTES = 256
    };
    char mID[MAXBYTES];
 };
@ -84,9 +87,7 @@ inline cFileHeaderID::cFileHeaderID(const TCHAR* id)
    *this = id;
 }
-inline
+inline cFileHeaderID::cFileHeaderID(const cFileHeaderID& rhs) : iSerializable(), mIDLen(rhs.mIDLen)
 cFileHeaderID::cFileHeaderID( const cFileHeaderID& rhs ) :
    iSerializable(), mIDLen( rhs.mIDLen ) 
 {
    memcpy(mID, rhs.mID, MAXBYTES);
 }
@ -163,4 +164,3 @@ inline const cMemoryArchive& cFileHeader::GetBaggage() const
 }
 #endif
--- a/src/core/fixedfilebuf.h
+++ b/src/core/fixedfilebuf.h
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -45,10 +45,6 @@
 #define __FIXED_FILEBUF_H
 #include <fstream>
 #if IS_UNIX
 #define fixed_basic_ofstream std::basic_ofstream
 #endif // IS_WIN32/IS_UNIX
 #endif //__FIXED_FILEBUF_H
--- a/src/core/fsservices.cpp
+++ b/src/core/fsservices.cpp
@ -1,6 +1,6 @@
 //
 // The developer of the original code and/or files is Tripwire, Inc.
-// Portions created by Tripwire, Inc. are copyright (C) 2000 Tripwire,
+// Portions created by Tripwire, Inc. are copyright (C) 2000-2018 Tripwire,
 // Inc. Tripwire is a registered trademark of Tripwire, Inc.  All rights
 // reserved.
 //
@ -43,5 +43,3 @@ iFSServices* iFSServices::mpInstance = 0;
 //#############################################################################
 // eFSServices
 //#############################################################################
--- a/Show More
+++ b/Show More
`@ -1,2 +1 @@`
	`#define BUILD_NUM _T("0")`	`#define BUILD_NUM _T("0")`