# -*- sh -*-
#
#     tiger - A UN*X security checking system
#     Copyright (C) 1993 Douglas Lee Schales, David K. Hess, David R. Safford
#
#     Please see the file `COPYING' for the complete copyright notice.
#
#  config (top level) - 06/14/93
#
# 04/29/93 dls  Added support for 'tigerrc' file.
# 09/10/01 ret Changed name to tararc
# 09/17/01 ret Fixed the command line switch logic.
#
#-----------------------------------------------------------------------------
#
# space, tab, newline
TigerLogDir='results/tara-data'
mkdir -p results
mkdir -p tara-data
TigerWorkDir='/tmp'
TigerBinDir='$BASEDIR/bin'

dosiggen()
{
  echo "  Generating new digital signatures for binaries"
  sh util/mksig
  sh util/installsig sig*
  exit  0
}

dousage()
{
echo "Usage: ./tara [switches]"
echo ""
echo "       -B name"
echo "              Specify  the directory where tara is installed.  If"
echo "              not specified, the current directory is used."
echo ""
echo "       -d name"
echo "              Specify the name of the directory where  tara  will"
echo "              write  the  security  report.  This defaults to the"
echo "              results/tara-data directory.  The filename  of  the"
echo "              report  will  be of the form 'security.report.host-"
echo "              name.date.time.'  If the directory  begins  with  a"
echo "              "@", the name will be interpreted as a tara logging"
echo "              server."
echo ""
echo "       -w name"
echo "              Specify a directory to  use  for  creating  scratch"
echo "              files.  This defaults to /tmp."
echo ""
echo "       -b name"
echo "              Specify  the directory which contains (or will con-"
echo "              tain) the binaries generated from  the  C  modules."
echo "              If  the  systems  directories contain all the bina-"
echo "              ries, they will be used directly  from  there.   If"
echo "              not,  then  if  the  bindir  contains the binaries,"
echo "              these will be used.  If none are  found  in  either"
echo "              place,  then an attempt will be made to compile the"
echo "              C code and install the executables into the bindir."
echo ""
echo "       -c name"
echo "              Specify  an  alternate  name for the tararc control"
echo "              file.  The default is 'tararc'."
echo ""
echo "       -e     This option will cause explanations to be  inserted"
echo "              into  the  security  report following each message."
echo "              This can greatly increase the size of  the  report,"
echo "              as explanations may appear repeatedly."
echo ""
echo ""
echo "       -E     This  option  indicates that a separate explanation"
echo "              report should be  created,  with  explanations  for"
echo "              each  type  of  message  only  appearing once.  The"
echo "              filename of the explanation report will be  of  the"
echo "              form 'explain.report.hostname.date.time.'"
echo ""
echo "       -G     Generate MD5 signatures for binary files"
echo ""
echo "       -H     This option will format the report into HTML creat-"
echo "              ing local links to the problem descriptions."
echo ""
echo "       -S     This option indicates that a surface level check of"
echo "              the  configuration  files  of  any diskless clients"
echo "              served by this machine should  be  checked  at  the"
echo "              same  time.   The checks will not be as in depth as"
echo "              they would be if run on the client itself."
exit 1
}
checkfile()
{
  _rcfile=$1
  _rcpath=${2:=$1}
  _status=1
  
  if [ -d $_rcfile ]; then
    echo "--CONFIG-- [con001c] Ignoring config file $_rcpath, (directory)"
  elif [ -f $_rcfile ]; then
    _status=0
    _permit=`$LS $LSLINK -l $_rcfile |
             $AWK '{printf("%s%s", substr($1,6,1), substr($1,9,1));}'`
    [ "$_permit" != "--" ] && {
      echo "--CONFIG-- [con003c] Ignoring config file $_rcpath, (world and/or group writable)"
      _status=1
    }
  fi

  return $_status
}

[ "$CONFIGURED_ALREADY" != "YES" ] && {

  umask 077

  CONFIGURED_ALREADY=YES

  if [ -n "$TIGERHOMEDIR" -a "$TIGERHOMEDIR" != '.' ]; then
    BASEDIR="$TIGERHOMEDIR"
  elif [ -n "$TigerInstallDir" -a "$TigerInstallDir" != '.' ]; then
    BASEDIR="$TigerInstallDir"
  elif [ ! -d ./systems -a -d ../systems ]; then
    BASEDIR='..'
  else
    BASEDIR='.'
  fi

  LOGDIR=$TigerLogDir
  WORKDIR=$TigerWorkDir
  EXPLAINREPORT=N
  SERVERCHECK=N
  Tiger_TESTMODE=N
  HTML=N
  RCFILE=""
  export BASEDIR LOGDIR WORKDIR BINDIR EXPLAINREPORT SERVERCHECK RCFILE
  export Tiger_TESTMODE TigerCleanup HTML
  doversion=0
  
  while [ $# != 0 ]
  do
    case $1 in
     -v) doversion=1;;
     -B) BASEDIR=$2; shift;;
     -d) TigerLogDir=results/$2; shift;;
     -w) TigerWorkDir=$2; shift;;
     -b) BINDIR=$2; shift;;
     -c) RCFILE=$2; shift;;
     -e) EXPLAINREPORT=I;;
     -E) EXPLAINREPORT=Y;;
     -G) dosiggen;;
     -h) dousage;;
     -S) SERVERCHECK=Y;;
     -O) OS=$2; shift;;
     -A) ARCH=$2; shift;;
     -R) REV=$2; shift;;
     -t) Tiger_TESTMODE=Y;;
     -H) HTML=Y;;
      *) echo "--ERROR-- [con006e] Unknown option $1";dousage;;
    esac
    shift;
  done
  PATH=$PATH:/usr/ucb
  export PATH
  [ "$UUID" = "" ] &&
    UNAME=`whoami`

  export UNAME

  [ "$UNAME" != "root" ] && {
   echo " " 1>&2
   echo "This script should be run from the root account." 1>&2
   echo " " 1>&2
   exit 1
  }
  LOGDIR=$TigerLogDir
  WORKDIR=$TigerWorkDir
  if [ ! -d $LOGDIR ]; then mkdir $LOGDIR; fi
  EXPLAINREPORT=N
  SERVERCHECK=N
  Tiger_TESTMODE=N
# HTML=N
  RCFILE=""
  export BASEDIR LOGDIR WORKDIR BINDIR EXPLAINREPORT SERVERCHECK RCFILE
  export Tiger_TESTMODE TigerCleanup HTML
  TIGERHOMEDIR="$BASEDIR"
  export TIGERHOMEDIR 
echo "HTML $HTML"
  TIGERVERSION="`/bin/cat $TIGERHOMEDIR/version.h 2>/dev/null`"
  [ ! -n "$TIGERVERSION" ] && TIGERVERSION="undetermined"
  export TIGERVERSION
  
  [ $doversion -eq 1 ] && {
    echo "tara, version $TIGERVERSION"
    exit 0
  }

  set X `$BASEDIR/util/gethostinfo` unknown unknown unknown
  OS=${OS:=$2}
  REV=${REV:=$3}
  ARCH=${ARCH:=$4}
  saveifs=$IFS
  IFS=.
  set X $REV
  IFS=$saveifs
  shift
  REL="$1"
  [ ! -n "$REL" ] && REL=$REV

  [ ! -n "$BINDIR" ] &&  eval BINDIR=${TigerBinDir:=$BASEDIR/bin}

  SCRIPTDIR=$BASEDIR/scripts
  export SCRIPTDIR
 if [ "$OS" = "MacOSX" ]; then
   echo "No support for MacOSX yet, exiting"
   exit 1
 fi 
  CONFIG_LOC=${TIGERCONF:="$BASEDIR/systems"}
  if [ -f "$CONFIG_LOC/$OS/$REL/$REV/$ARCH/config" ]; then
    echo "Using configuration files for $OS $REV $ARCH."
    CONFIG_DIR="$CONFIG_LOC/$OS/$REL/$REV/$ARCH"
  elif [ -f "$CONFIG_LOC/$OS/$REL/$REV/config" ]; then
    echo "Using configuration files for $OS $REV."
    CONFIG_DIR="$CONFIG_LOC/$OS/$REL/$REV"
  elif [ -f "$CONFIG_LOC/$OS/$REL/config" ]; then
    echo "Using configuration files for $OS $REL"
    CONFIG_DIR="$CONFIG_LOC/$OS/$REL"
  elif [ -f "$CONFIG_LOC/$OS/config" ]; then
    echo "No files for $OS $REV.  Using configuration files for generic $OS."
    CONFIG_DIR="$CONFIG_LOC/$OS"
  elif [ -f "$CONFIG_LOC/default/config" ]; then
    echo "No files for $OS.  Using default configuration files."
    echo "Not all checks may be performed."
    CONFIG_DIR="$CONFIG_LOC/default"
  else
    echo "--ERROR-- [con008e] No configuration files for $OS $REV and can't find the"
    echo "          default configuration files.  Terminating."
    exit 1
  fi
  CONFIG_FILE="$CONFIG_DIR/config"
  . $CONFIG_FILE

  [ ! -n "$TESTEXEC" ] && TESTEXEC="-f"
  [ ! -n "$TESTLINK" ] && TESTLINK="-h"

  OUTPUTMETHOD="$CAT"
  [ "$EXPLAINREPORT" != "N" ] && {
    OUTPUTMETHOD="$BASEDIR/tigexp -F"
  }
  export OUTPUTMETHOD
  
  HOSTNAME=`$GETHOSTNAME`

  for file in './site-$HOSTNAME' '$BASEDIR/site-$HOSTNAME' './site' '$BASEDIR/site'
  do
    eval rc=$file
    if checkfile $rc $file; then
      SITECONFIG=$rc
      break
    fi
  done

  [ -n "$SITECONFIG" -a -r "$SITECONFIG" ] && . $SITECONFIG

  [ -n "$RCFILE" -a ! -f "$RCFILE" ] && {
    echo "Control file "$RCFILE" not found... exiting..."
    exit 1
  }
  [ ! -n "$RCFILE" ] && {
    for file in './.tararc' './tararc' '$HOME/.tararc' '$BASEDIR/tararc'
    do
      eval rc=$file
      if checkfile $rc $file; then
	RCFILE=$rc
	break
      fi
    done
  }
  if [ ! -f "$RCFILE" ]; then
     echo "Control file $RCFILE not found... exiting..."
     exit 1
  fi

  #
  # Preprocess the RC file, to export variables to environment
  #

  [ -n "$RCFILE" -a -f $RCFILE ] && {
    $GREP -v '^#' $RCFILE |
    $SED -e 's/^\(.*\)=/export \1; \1=/' > $WORKDIR/rcfile.$$
    . $WORKDIR/rcfile.$$
    $RM -f $WORKDIR/rcfile.$$
  }
    
  HOSTNAMESLIST=${HOSTNAMESLIST:=$HOSTNAME}

  export CONFIGURED_ALREADY OS REL REV ARCH HOSTNAME
  export CONFIG_DIR CONFIG_FILE HOSTNAMESLIST CRACK

  [ "$TigerNoBuild" != 'Y' ] && {
    > $WORKDIR/tigercmds.$$
    $BASEDIR/util/buildbins $WORKDIR/tigercmds.$$
    . $WORKDIR/tigercmds.$$
    $RM -f $WORKDIR/tigercmds.$$
  }
}
