Browse files

use tripwire when building stemcells

- only builds the tripwire database when the environment variable
  TW_LOCAL_PASSPHRASE is set

Change-Id: I5f8ff92a9d1aee9feb1061512f6e71f142149109
  • Loading branch information...
1 parent 7498a06 commit 256ecc245374b89173c62fc75b9ecd2934a5004e @pmenglund committed Aug 6, 2012
View
1 agent/misc/stemcell/build2/spec/stemcell-aws.spec
@@ -33,6 +33,7 @@ stage system_parameters
# Finalisation
stage bosh_clean
stage bosh_harden
+stage bosh_tripwire
stage bosh_dpkg_list
# Image/bootloader
View
1 agent/misc/stemcell/build2/spec/stemcell-vsphere.spec
@@ -31,6 +31,7 @@ stage system_parameters
# Finalisation
stage bosh_clean
stage bosh_harden
+stage bosh_tripwire
stage bosh_dpkg_list
# Image/bootloader
View
3 agent/misc/stemcell/build2/stages/base_apt/apply.sh
@@ -12,7 +12,8 @@ strace bind9-host dnsutils tcpdump iputils-arping \
curl wget libcurl3 libcurl3-dev bison libreadline6-dev \
libxml2 libxml2-dev libxslt1.1 libxslt1-dev zip unzip \
nfs-common flex psmisc apparmor-utils iptables sysstat \
-rsync openssh-server traceroute libncurses5-dev quota"
+rsync openssh-server traceroute libncurses5-dev quota \
+tripwire"
# Disable interactive dpkg
debconf="debconf debconf/frontend select noninteractive"
View
79 agent/misc/stemcell/build2/stages/bosh_tripwire/apply.sh
@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2009-2012 VMware, Inc.
+
+set -e
+
+base_dir=$(readlink -nf $(dirname $0)/../..)
+source $base_dir/lib/prelude_apply.bash
+source $base_dir/lib/prelude_bosh.bash
+
+if [ -z "${TW_LOCAL_PASSPHRASE:-}" ]; then
+ echo "No tripwire passphrase for local key - skipping tripwire setup!"
+else
+ echo "Found tripwire passphrase"
+
+ tw_dir=$chroot/etc/tripwire
+
+ # clean up default stuff
+ rm -f $tw_dir/*
+
+ #
+ # generate keys if needed, then copy to chroot
+ #
+ site_key="$dir/assets/site.key"
+ local_key="$dir/assets/local.key"
+
+ if [ ! -f $site_key ]; then
+ twadmin -m G \
+ --site-passphrase ${TW_SITE_PASSPHRASE} \
+ --site-keyfile $site_key
+ fi
+
+ if [ ! -f $local_key ]; then
+ twadmin -m G \
+ --local-passphrase ${TW_LOCAL_PASSPHRASE} \
+ --local-keyfile $local_key
+ fi
+
+ cp $dir/assets/site.key $tw_dir
+ cp $dir/assets/local.key $tw_dir
+
+ # generate tw.cfg or reuse an existing one
+ if [ -f $dir/assets/tw.cfg ]; then
+ cp $dir/assets/tw.cfg $tw_dir
+ else
+ cp $dir/assets/twcfg.txt $tw_dir
+ run_in_bosh_chroot $chroot "
+ twadmin --create-cfgfile -S /etc/tripwire/site.key --site-passphrase ${TW_SITE_PASSPHRASE} /etc/tripwire/twcfg.txt
+ "
+ cp $tw_dir/tw.cfg $dir/assets
+ rm $tw_dir/twcfg.txt
+ fi
+
+ # generate tw.pol or reuse an existing one
+ if [ -f $dir/assets/tw.pol ]; then
+ cp $dir/assets/tw.pol $tw_dir
+ else
+ cp $dir/assets/twpol.txt $tw_dir
+ run_in_bosh_chroot $chroot "
+ twadmin --create-polfile -S /etc/tripwire/site.key --site-passphrase ${TW_SITE_PASSPHRASE} /etc/tripwire/twpol.txt
+ "
+ cp $tw_dir/tw.pol $dir/assets
+ rm $tw_dir/twpol.txt
+ fi
+
+ # create an empty db file so tripwire doesn't generate a warning about
+ # the missing file
+ tw_db=$chroot/var/lib/tripwire/db.twd
+ touch $tw_db
+
+ # generate the tripwire database
+ run_in_bosh_chroot $chroot "
+ tripwire --init --local-passphrase $TW_LOCAL_PASSPHRASE
+ "
+
+ mkdir -p $work/stemcell
+ cp $tw_db $work/stemcell/tripwire.db
+
+fi
View
2 agent/misc/stemcell/build2/stages/bosh_tripwire/assets/.gitignore
@@ -0,0 +1,2 @@
+local.key
+site.key
View
7 agent/misc/stemcell/build2/stages/bosh_tripwire/assets/README
@@ -0,0 +1,7 @@
+This directory is used to build the public stemcells and you need to know the
+"local" passphrase to do so. The passphrase needs to be set in the environment
+variable TW_PASSPHRASE.
+
+If you want to build your own stemcell with tripwire support you must replace
+site.key & local.key with your own keys, and then generate your own tw.cfg &
+tw.pol using those keys.
View
16 agent/misc/stemcell/build2/stages/bosh_tripwire/assets/twcfg.txt
@@ -0,0 +1,16 @@
+ROOT =/usr/sbin
+POLFILE =/etc/tripwire/tw.pol
+DBFILE =/var/lib/tripwire/db.twd
+REPORTFILE =/var/lib/tripwire/report/report-$(DATE).twr
+SITEKEYFILE =/etc/tripwire/site.key
+LOCALKEYFILE =/etc/tripwire/local.key
+EDITOR =/usr/bin/vi
+LATEPROMPTING =false
+LOOSEDIRECTORYCHECKING =false
+MAILNOVIOLATIONS =true
+EMAILREPORTLEVEL =3
+REPORTLEVEL =3
+SYSLOGREPORTING =true
+MAILMETHOD =SMTP
+SMTPHOST =localhost
+SMTPPORT =25
View
257 agent/misc/stemcell/build2/stages/bosh_tripwire/assets/twpol.txt
@@ -0,0 +1,257 @@
+
+#
+# Standard Debian Tripwire configuration
+#
+#
+# This configuration covers the contents of all 'Essential: yes'
+# packages along with any packages necessary for access to an internet
+# or system availability, e.g. name services, mail services, PCMCIA
+# support, RAID support, and backup/restore support.
+#
+
+#
+# Global Variable Definitions
+#
+# These definitions override those in to configuration file. Do not
+# change them unless you understand what you're doing.
+#
+
+@@section GLOBAL
+TWBIN = /usr/sbin;
+TWETC = /etc/tripwire;
+TWVAR = /var/lib/tripwire;
+
+#
+# File System Definitions
+#
+@@section FS
+
+#
+# First, some variables to make configuration easier
+#
+SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
+
+SEC_BIN = $(ReadOnly) ; # Binaries that should not change
+
+SEC_CONFIG = $(Dynamic) ; # Config files that are changed
+ # infrequently but accessed
+ # often
+
+SEC_LOG = $(Growing) ; # Files that grow, but that
+ # should never change ownership
+
+SEC_INVARIANT = +tpug ; # Directories that should never
+ # change permission or ownership
+
+SIG_LOW = 33 ; # Non-critical files that are of
+ # minimal security impact
+
+SIG_MED = 66 ; # Non-critical files that are of
+ # significant security impact
+
+SIG_HI = 100 ; # Critical files that are
+ # significant points of
+ # vulnerability
+
+#
+# Tripwire Binaries
+#
+(
+ rulename = "Tripwire Binaries",
+ severity = $(SIG_HI)
+)
+{
+ $(TWBIN)/siggen -> $(SEC_BIN) ;
+ $(TWBIN)/tripwire -> $(SEC_BIN) ;
+ $(TWBIN)/twadmin -> $(SEC_BIN) ;
+ $(TWBIN)/twprint -> $(SEC_BIN) ;
+}
+
+#
+# Tripwire Data Files - Configuration Files, Policy Files, Keys,
+# Reports, Databases
+#
+
+# NOTE: We remove the inode attribute because when Tripwire creates a
+# backup, it does so by renaming the old file and creating a new one
+# (which will have a new inode number). Inode is left turned on for
+# keys, which shouldn't ever change.
+
+# NOTE: The first integrity check triggers this rule and each
+# integrity check afterward triggers this rule until a database update
+# is run, since the database file does not exist before that point.
+(
+ rulename = "Tripwire Data Files",
+ severity = $(SIG_HI)
+)
+{
+ $(TWVAR)/db.twd -> $(SEC_CONFIG) -i ;
+ $(TWETC)/tw.pol -> $(SEC_BIN) -i ;
+ $(TWETC)/tw.cfg -> $(SEC_BIN) -i ;
+ $(TWETC)/local.key -> $(SEC_BIN) ;
+ $(TWETC)/site.key -> $(SEC_BIN) ;
+
+ #don't scan the individual reports
+ $(TWVAR)/report -> $(SEC_CONFIG) (recurse=0) ;
+}
+
+#
+# Critical System Boot Files
+# These files are critical to a correct system boot.
+#
+(
+ rulename = "Critical system boot files",
+ severity = $(SIG_HI)
+)
+{
+ /boot -> $(SEC_CRIT) ;
+ /lib/modules -> $(SEC_CRIT) ;
+}
+
+(
+ rulename = "Boot Scripts",
+ severity = $(SIG_HI)
+)
+{
+ /etc/init.d -> $(SEC_BIN) ;
+ /etc/rcS.d -> $(SEC_BIN) ;
+ /etc/rc0.d -> $(SEC_BIN) ;
+ /etc/rc1.d -> $(SEC_BIN) ;
+ /etc/rc2.d -> $(SEC_BIN) ;
+ /etc/rc3.d -> $(SEC_BIN) ;
+ /etc/rc4.d -> $(SEC_BIN) ;
+ /etc/rc5.d -> $(SEC_BIN) ;
+ /etc/rc6.d -> $(SEC_BIN) ;
+}
+
+
+#
+# Critical executables
+#
+(
+ rulename = "Root file-system executables",
+ severity = $(SIG_HI)
+)
+{
+ /bin -> $(SEC_BIN) ;
+ /sbin -> $(SEC_BIN) ;
+}
+
+#
+# Critical Libraries
+#
+(
+ rulename = "Root file-system libraries",
+ severity = $(SIG_HI)
+)
+{
+ /lib -> $(SEC_BIN) ;
+}
+
+
+#
+# Login and Privilege Raising Programs
+#
+(
+ rulename = "Security Control",
+ severity = $(SIG_MED)
+)
+{
+ /etc/passwd -> $(SEC_CONFIG) ;
+ /etc/shadow -> $(SEC_CONFIG) ;
+}
+
+
+
+
+#
+# These files change every time the system boots
+#
+(
+ rulename = "System boot changes",
+ severity = $(SIG_HI)
+)
+{
+ /var/lock -> $(SEC_CONFIG) ;
+ /var/run -> $(SEC_CONFIG) ; # daemon PIDs
+ /var/log -> $(SEC_CONFIG) ;
+}
+
+# These files change the behavior of the root account
+(
+ rulename = "Root config files",
+ severity = 100
+)
+{
+ /root -> $(SEC_CRIT) ; # Catch all additions to /root
+ /root/.bashrc -> $(SEC_CONFIG) ;
+# /root/.bash_profile -> $(SEC_CONFIG) ;
+# /root/.bash_logout -> $(SEC_CONFIG) ;
+# /root/.bash_history -> $(SEC_CONFIG) ;
+}
+
+#
+# Critical devices
+#
+(
+ rulename = "Devices & Kernel information",
+ severity = $(SIG_HI),
+)
+{
+ /dev -> $(Device) ;
+# /proc -> $(Device) ;
+}
+
+#
+# Other configuration files
+#
+(
+ rulename = "Other configuration files",
+ severity = $(SIG_MED)
+)
+{
+ /etc -> $(SEC_BIN) ;
+}
+
+#
+# Binaries
+#
+(
+ rulename = "Other binaries",
+ severity = $(SIG_MED)
+)
+{
+ /usr/local/sbin -> $(SEC_BIN) ;
+ /usr/local/bin -> $(SEC_BIN) ;
+ /usr/sbin -> $(SEC_BIN) ;
+ /usr/bin -> $(SEC_BIN) ;
+}
+
+#
+# Libraries
+#
+(
+ rulename = "Other libraries",
+ severity = $(SIG_MED)
+)
+{
+ /usr/local/lib -> $(SEC_BIN) ;
+ /usr/lib -> $(SEC_BIN) ;
+}
+
+#
+# Commonly accessed directories that should remain static with regards
+# to owner and group
+#
+(
+ rulename = "Invariant Directories",
+ severity = $(SIG_MED)
+)
+{
+ / -> $(SEC_INVARIANT) (recurse = 0) ;
+ /home -> $(SEC_INVARIANT) (recurse = 0) ;
+ /tmp -> $(SEC_INVARIANT) (recurse = 0) ;
+ /usr -> $(SEC_INVARIANT) (recurse = 0) ;
+ /var -> $(SEC_INVARIANT) (recurse = 0) ;
+ /var/tmp -> $(SEC_INVARIANT) (recurse = 0) ;
+}
View
18 agent/misc/stemcell/build2/stages/bosh_tripwire/config.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2009-2012 VMware, Inc.
+
+set -e
+
+base_dir=$(readlink -nf $(dirname $0)/../..)
+source $base_dir/lib/prelude_config.bash
+
+if [ ! -z "${TW_LOCAL_PASSPHRASE:-}" ]
+then
+ persist TW_LOCAL_PASSPHRASE
+fi
+
+if [ ! -z "${TW_SITE_PASSPHRASE:-}" ]
+then
+ persist TW_SITE_PASSPHRASE
+fi
View
2 agent/stemcell2.rake
@@ -46,6 +46,8 @@ namespace :stemcell2 do
:bosh_protocol_version => Bosh::Agent::BOSH_PROTOCOL,
:UBUNTU_ISO => ENV["UBUNTU_ISO"],
:UBUNTU_MIRROR => ENV["UBUNTU_MIRROR"],
+ :TW_LOCAL_PASSPHRASE => ENV["TW_LOCAL_PASSPHRASE"],
+ :TW_SITE_PASSPHRASE => ENV["TW_SITE_PASSPHRASE"],
:ruby_bin => ENV["RUBY_BIN"] || File.join(RbConfig::CONFIG['bindir'], RbConfig::CONFIG['ruby_install_name']),
}

0 comments on commit 256ecc2

Please sign in to comment.