summaryrefslogtreecommitdiff
path: root/security/tct
diff options
context:
space:
mode:
authoragc <agc@pkgsrc.org>2002-01-03 10:58:57 +0000
committeragc <agc@pkgsrc.org>2002-01-03 10:58:57 +0000
commit6630f9fa23059622327155155639298827f9c84c (patch)
treedeef914ce57cc84118e238611a68bcfcb9d27003 /security/tct
parent372298fd9242fc524385bd5fa7ff83200dbcc3fb (diff)
downloadpkgsrc-6630f9fa23059622327155155639298827f9c84c.tar.gz
Initial import of tct-1.0.9 into the NetBSD Packages Collection.
TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in. Notable TCT components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the findkey tool that recovers cryptographic keys from a running process or from files. WARNING This software is not for the faint of heart. It is relatively unpolished compared to the software that Dan and Wietse usually release. TCT can spend a lot of time collecting data. And although TCT collects lots of data, many analysis tools still need to be written. Based on patches provided in PR 15081 by frazee.23@osu.edu.
Diffstat (limited to 'security/tct')
-rw-r--r--security/tct/DESCR16
-rw-r--r--security/tct/Makefile36
-rw-r--r--security/tct/PLIST20
-rw-r--r--security/tct/distinfo18
-rw-r--r--security/tct/patches/patch-aa13
-rw-r--r--security/tct/patches/patch-ab13
-rw-r--r--security/tct/patches/patch-ac13
-rw-r--r--security/tct/patches/patch-ad12
-rw-r--r--security/tct/patches/patch-ae13
-rw-r--r--security/tct/patches/patch-af30
-rw-r--r--security/tct/patches/patch-ag31
-rw-r--r--security/tct/patches/patch-ah13
-rw-r--r--security/tct/patches/patch-ai13
-rw-r--r--security/tct/patches/patch-aj13
-rw-r--r--security/tct/patches/patch-ak13
-rw-r--r--security/tct/patches/patch-al13
-rw-r--r--security/tct/patches/patch-am29
-rw-r--r--security/tct/patches/patch-an13
18 files changed, 322 insertions, 0 deletions
diff --git a/security/tct/DESCR b/security/tct/DESCR
new file mode 100644
index 00000000000..29edcec5d70
--- /dev/null
+++ b/security/tct/DESCR
@@ -0,0 +1,16 @@
+TCT is a collection of programs by Dan Farmer and Wietse Venema for a
+post-mortem analysis of a UNIX system after break-in.
+
+Notable TCT components are the grave-robber tool that captures
+information, the ils and mactime tools that display access patterns of
+files dead or alive, the unrm and lazarus tools that recover deleted
+files, and the findkey tool that recovers cryptographic keys from a
+running process or from files.
+
+WARNING
+
+This software is not for the faint of heart. It is relatively
+unpolished compared to the software that Dan and Wietse usually
+release. TCT can spend a lot of time collecting data. And although
+TCT collects lots of data, many analysis tools still need to be
+written.
diff --git a/security/tct/Makefile b/security/tct/Makefile
new file mode 100644
index 00000000000..39d51a59138
--- /dev/null
+++ b/security/tct/Makefile
@@ -0,0 +1,36 @@
+# $NetBSD: Makefile,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+#
+
+DISTNAME= tct-1.09
+CATEGORIES= sysutils
+MASTER_SITES= http://www.porcupine.org/forensics/
+
+MAINTAINER= packages@netbsd.org
+HOMEPAGE= http://www.porcupine.org/forensics/tct.html
+COMMENT= programs to aid post-mortem after a break-in
+
+REPLACE_PERL= bin/grave-robber bin/mactime bin/strip_tct_home
+REPLACE_PERL+= extras/bdf extras/ils2mac extras/realpath
+REPLACE_PERL+= lazarus/lazarus
+
+do-install:
+ cd ${WRKSRC}/bin && \
+ for f in grave-robber mactime; do \
+ ${BSD_INSTALL_SCRIPT} $$f ${LOCALBASE}/sbin; \
+ done; \
+ for f in icat ils lastcomm major_minor pcat timeout unrm; do \
+ ${BSD_INSTALL_PROGRAM} $$f ${LOCALBASE}/sbin; \
+ done
+ cd ${WRKSRC}/extras && \
+ for f in bdf ils2mac realpath; do \
+ ${BSD_INSTALL_SCRIPT} $$f ${LOCALBASE}/sbin; \
+ done
+ ${BSD_INSTALL_SCRIPT} ${WRKSRC}/lazarus/lazarus ${LOCALBASE}/sbin
+ ${INSTALL_DATA_DIR} ${LOCALBASE}/share/doc/tct
+ cd ${WRKSRC}/docs && \
+ for f in README design-notes grave-robber.README lazarus.README mac.README; do \
+ ${BSD_INSTALL_DATA} $$f ${LOCALBASE}/share/doc/tct; \
+ done
+
+.include "../../lang/perl5/buildlink.mk"
+.include "../../mk/bsd.pkg.mk"
diff --git a/security/tct/PLIST b/security/tct/PLIST
new file mode 100644
index 00000000000..d2b3b511bdb
--- /dev/null
+++ b/security/tct/PLIST
@@ -0,0 +1,20 @@
+@comment $NetBSD: PLIST,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+sbin/bdf
+sbin/grave-robber
+sbin/icat
+sbin/ils
+sbin/ils2mac
+sbin/lazarus
+sbin/lastcomm
+sbin/mactime
+sbin/major_minor
+sbin/pcat
+sbin/realpath
+sbin/timeout
+sbin/unrm
+share/doc/tct/README
+share/doc/tct/design-notes
+share/doc/tct/grave-robber.README
+share/doc/tct/lazarus.README
+share/doc/tct/mac.README
+@dirrm share/doc/tct
diff --git a/security/tct/distinfo b/security/tct/distinfo
new file mode 100644
index 00000000000..6e27dc363a9
--- /dev/null
+++ b/security/tct/distinfo
@@ -0,0 +1,18 @@
+$NetBSD: distinfo,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+
+SHA1 (tct-1.09.tar.gz) = fffb6ae1f389cfdfad95a9a81f6eaba115c9dfc0
+Size (tct-1.09.tar.gz) = 314134 bytes
+SHA1 (patch-aa) = 36d0bd8a0171d490dbbab84d75a379cdd0b60f9c
+SHA1 (patch-ab) = 54acf9c6f1f2e3eed1bf0bf448c086584a9f3071
+SHA1 (patch-ac) = cef2a88ab3fd23a3b9b3fb3e5109efe936aed934
+SHA1 (patch-ad) = e8d2dbf5941020dd6a596329b9d462733da55117
+SHA1 (patch-ae) = bfef1e0df8b0eaad9815e514a4b6ca9ddcdd5bbe
+SHA1 (patch-af) = bd843a6f3f46b75104bc990408f19f52918d3cdf
+SHA1 (patch-ag) = 0bcbd120663144a486eaeacaa52b5ce8970f88a3
+SHA1 (patch-ah) = 2c0a020793df5539426d32ce56da24b5ecfadf1c
+SHA1 (patch-ai) = dd6059d627a2245074ecf0ddba16f2f4a26a863d
+SHA1 (patch-aj) = b9fd22a2afc0d40472682f5e04ae53837d3f8afa
+SHA1 (patch-ak) = 17b946140958aee8b78062e3f3546740fc1f2df1
+SHA1 (patch-al) = 739b445a65a138b8e9aac83b25bab5b6e5519fb8
+SHA1 (patch-am) = 8d37a161ba18dd2725203b2fcf47329c11c8c4a5
+SHA1 (patch-an) = 7ec22708fb8b0345231542a82e79b1d78b7235d7
diff --git a/security/tct/patches/patch-aa b/security/tct/patches/patch-aa
new file mode 100644
index 00000000000..810fa319805
--- /dev/null
+++ b/security/tct/patches/patch-aa
@@ -0,0 +1,13 @@
+$NetBSD: patch-aa,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+
+--- src/aux/makedefs 2001/10/11 15:53:08 1.1
++++ src/aux/makedefs 2001/10/11 15:53:44
+@@ -2,6 +2,8 @@
+ RELEASE=`(uname -r) 2>/dev/null`
+
+ case "$SYSTEM.$RELEASE" in
++ NetBSD.1*) DEFS="-DNETBSD1"
++ ;;
+ FreeBSD.2*) DEFS="-DFREEBSD2"
+ ;;
+ FreeBSD.3*) DEFS="-DFREEBSD3"
diff --git a/security/tct/patches/patch-ab b/security/tct/patches/patch-ab
new file mode 100644
index 00000000000..440e838dc87
--- /dev/null
+++ b/security/tct/patches/patch-ab
@@ -0,0 +1,13 @@
+$NetBSD: patch-ab,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+
+--- extras/entropy/makedefs 2002/01/03 09:33:04 1.1
++++ extras/entropy/makedefs 2002/01/03 09:33:30
+@@ -2,6 +2,8 @@
+ RELEASE=`(uname -r) 2>/dev/null`
+
+ case "$SYSTEM.$RELEASE" in
++ NetBSD.1*) DEFS="-DNETBSD1"
++ ;;
+ FreeBSD.2*) DEFS="-DFREEBSD2"
+ ;;
+ FreeBSD.3*) DEFS="-DFREEBSD3"
diff --git a/security/tct/patches/patch-ac b/security/tct/patches/patch-ac
new file mode 100644
index 00000000000..20bceb59b45
--- /dev/null
+++ b/security/tct/patches/patch-ac
@@ -0,0 +1,13 @@
+$NetBSD: patch-ac,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+
+--- extras/findkey/makedefs 2002/01/03 09:34:44 1.1
++++ extras/findkey/makedefs 2002/01/03 09:35:11
+@@ -2,6 +2,8 @@
+ RELEASE=`(uname -r) 2>/dev/null`
+
+ case "$SYSTEM.$RELEASE" in
++ NetBSD.1*) DEFS="-DNETBSD1"
++ ;;
+ FreeBSD.2*) DEFS="-DFREEBSD2"
+ ;;
+ FreeBSD.3*) DEFS="-DFREEBSD3"
diff --git a/security/tct/patches/patch-ad b/security/tct/patches/patch-ad
new file mode 100644
index 00000000000..1b77bb39bb5
--- /dev/null
+++ b/security/tct/patches/patch-ad
@@ -0,0 +1,12 @@
+$NetBSD: patch-ad,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+
+--- lib/ostype.pl 2002/01/03 09:36:20 1.1
++++ lib/ostype.pl 2002/01/03 09:36:43
+@@ -9,6 +9,7 @@
+
+ # Order does not matter, table is sorted.
+ %OS_INFO = (
++ "NETBSD1", "NetBSD.1",
+ "FREEBSD2", "FreeBSD.2",
+ "FREEBSD3", "FreeBSD.3",
+ "FREEBSD4", "FreeBSD.4",
diff --git a/security/tct/patches/patch-ae b/security/tct/patches/patch-ae
new file mode 100644
index 00000000000..e3ae71157d7
--- /dev/null
+++ b/security/tct/patches/patch-ae
@@ -0,0 +1,13 @@
+$NetBSD: patch-ae,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+
+--- src/file/makedefs 2002/01/03 09:37:43 1.1
++++ src/file/makedefs 2002/01/03 09:38:04
+@@ -2,6 +2,8 @@
+ RELEASE=`(uname -r) 2>/dev/null`
+
+ case "$SYSTEM.$RELEASE" in
++ NetBSD.1*) DEFS="-DNETBSD1"
++ ;;
+ FreeBSD.2*) DEFS="-DFREEBSD2"
+ ;;
+ FreeBSD.3*) DEFS="-DFREEBSD3"
diff --git a/security/tct/patches/patch-af b/security/tct/patches/patch-af
new file mode 100644
index 00000000000..4ecb8e976c4
--- /dev/null
+++ b/security/tct/patches/patch-af
@@ -0,0 +1,30 @@
+$NetBSD: patch-af,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+
+--- src/fstools/ffs.c 2002/01/03 09:39:06 1.1
++++ src/fstools/ffs.c 2002/01/03 09:44:41
+@@ -193,7 +193,12 @@
+ cg_num = INO_TO_CG(ffs->fs, inum);
+ if (cg == 0 || cg->cg_cgx != cg_num) {
+ cg = ffs_cgroup_lookup(ffs, cg_num);
++#ifdef NETBSD1
++ /* BYTE_SWAPPED filesystems can come later */
++ inosused = (unsigned char *) cg_inosused(cg, 0);
++#else
+ inosused = (unsigned char *) cg_inosused(cg);
++#endif
+ ibase = cg_num * ffs->fs->fs_ipg;
+ }
+
+@@ -290,7 +295,12 @@
+ cg_num = dtog(ffs->fs, addr);
+ if (cg == 0 || cg->cg_cgx != cg_num) {
+ cg = ffs_cgroup_lookup(ffs, cg_num);
++#ifdef NETBSD1
++ /* BYTE_SWAPPED filesystems can come later */
++ freeblocks = (unsigned char *) cg_blksfree(cg, 0);
++#else
+ freeblocks = (unsigned char *) cg_blksfree(cg);
++#endif
+ dbase = cgbase(ffs->fs, cg_num);
+ dmin = cgdmin(ffs->fs, cg_num);
+ sblock = cgsblock(ffs->fs, cg_num);
diff --git a/security/tct/patches/patch-ag b/security/tct/patches/patch-ag
new file mode 100644
index 00000000000..1d68fcdc978
--- /dev/null
+++ b/security/tct/patches/patch-ag
@@ -0,0 +1,31 @@
+$NetBSD: patch-ag,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+
+--- src/fstools/fs_tools.h 2002/01/03 09:46:02 1.1
++++ src/fstools/fs_tools.h 2002/01/03 09:47:01
+@@ -201,6 +201,26 @@
+ #ifndef isset /* NIH */
+ #define isset(a,i) ((a)[(i)/NBBY] & (1<<((i)%NBBY)))
+ #endif
++#endif
++
++#if defined(NETBSD1)
++#define SUPPORTED
++#define HAVE_UFS_FFS
++#include <sys/vnode.h>
++#include <ufs/ufs/quota.h>
++#include <ufs/ufs/inode.h>
++#include <ufs/ufs/ufs_bswap.h>
++#include <ufs/ffs/fs.h>
++#define LSEEK lseek
++#define OFF_T off_t
++#define STRTOUL strtoul
++#define itod(fs,i) ino_to_fsba(fs,i)
++#define itoo(fs,i) ino_to_fsbo(fs,i)
++#define INOTIME(t) (t)
++#define DADDR_T daddr_t
++#define UFS_TYPE "ufs"
++#define DEF_FSTYPE UFS_TYPE
++#define INO_TO_CG ino_to_cg
+ #endif
+
+ /*
diff --git a/security/tct/patches/patch-ah b/security/tct/patches/patch-ah
new file mode 100644
index 00000000000..e519f0cf55a
--- /dev/null
+++ b/security/tct/patches/patch-ah
@@ -0,0 +1,13 @@
+$NetBSD: patch-ah,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+
+--- src/lastcomm/makedefs 2002/01/03 09:48:45 1.1
++++ src/lastcomm/makedefs 2002/01/03 09:49:06
+@@ -2,6 +2,8 @@
+ RELEASE=`(uname -r) 2>/dev/null`
+
+ case "$SYSTEM.$RELEASE" in
++ NetBSD.1*) DEFS="-DNETBSD1"
++ ;;
+ FreeBSD.2*) DEFS="-DFREEBSD2"
+ ;;
+ FreeBSD.4*) DEFS="-DFREEBSD3"
diff --git a/security/tct/patches/patch-ai b/security/tct/patches/patch-ai
new file mode 100644
index 00000000000..8f2f980d594
--- /dev/null
+++ b/security/tct/patches/patch-ai
@@ -0,0 +1,13 @@
+$NetBSD: patch-ai,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+
+--- src/lastcomm/sys_defs.h 2002/01/03 09:49:57 1.1
++++ src/lastcomm/sys_defs.h 2002/01/03 09:50:25
+@@ -7,7 +7,7 @@
+ */
+ #if defined(FREEBSD2) || defined(FREEBSD3) || defined(FREEBSD4) \
+ || defined(BSDI2) || defined(BSDI3) || defined(BSDI4) \
+- || defined(OPENBSD2)
++ || defined(OPENBSD2) || defined(NETBSD1)
+ #define SUPPORTED
+ #define _PATH_ACCT "/var/account/acct"
+ #define HAVE_COMP_BLOCK_IO_COUNT
diff --git a/security/tct/patches/patch-aj b/security/tct/patches/patch-aj
new file mode 100644
index 00000000000..e6ccfd200c2
--- /dev/null
+++ b/security/tct/patches/patch-aj
@@ -0,0 +1,13 @@
+$NetBSD: patch-aj,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+
+--- src/major_minor/makedefs 2002/01/03 09:51:21 1.1
++++ src/major_minor/makedefs 2002/01/03 09:51:42
+@@ -2,6 +2,8 @@
+ RELEASE=`(uname -r) 2>/dev/null`
+
+ case "$SYSTEM.$RELEASE" in
++ NetBSD.1*) DEFS="-DNETBSD1"
++ ;;
+ FreeBSD.2*) DEFS="-DFREEBSD2"
+ ;;
+ FreeBSD.3*) DEFS="-DFREEBSD3"
diff --git a/security/tct/patches/patch-ak b/security/tct/patches/patch-ak
new file mode 100644
index 00000000000..517edf8e09b
--- /dev/null
+++ b/security/tct/patches/patch-ak
@@ -0,0 +1,13 @@
+$NetBSD: patch-ak,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+
+--- src/misc/makedefs 2002/01/03 09:53:00 1.1
++++ src/misc/makedefs 2002/01/03 09:53:24
+@@ -2,6 +2,8 @@
+ RELEASE=`(uname -r) 2>/dev/null`
+
+ case "$SYSTEM.$RELEASE" in
++ NetBSD.1*) DEFS="-DNETBSD1"
++ ;;
+ FreeBSD.2*) DEFS="-DFREEBSD2"
+ ;;
+ FreeBSD.3*) DEFS="-DFREEBSD3"
diff --git a/security/tct/patches/patch-al b/security/tct/patches/patch-al
new file mode 100644
index 00000000000..c9fea7ef743
--- /dev/null
+++ b/security/tct/patches/patch-al
@@ -0,0 +1,13 @@
+$NetBSD: patch-al,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+
+--- src/pcat/makedefs 2002/01/03 09:54:14 1.1
++++ src/pcat/makedefs 2002/01/03 09:54:32
+@@ -2,6 +2,8 @@
+ RELEASE=`(uname -r) 2>/dev/null`
+
+ case "$SYSTEM.$RELEASE" in
++ NetBSD.1*) DEFS="-DNETBSD1"
++ ;;
+ FreeBSD.2*) DEFS="-DFREEBSD2"
+ ;;
+ FreeBSD.3*) DEFS="-DFREEBSD3"
diff --git a/security/tct/patches/patch-am b/security/tct/patches/patch-am
new file mode 100644
index 00000000000..304ca734977
--- /dev/null
+++ b/security/tct/patches/patch-am
@@ -0,0 +1,29 @@
+$NetBSD: patch-am,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+
+--- src/pcat/pcat.c 2002/01/03 09:55:26 1.1
++++ src/pcat/pcat.c 2002/01/03 09:56:38
+@@ -177,6 +177,24 @@
+ #endif
+
+ /*
++ * Based on the OpenBSD code above.
++ */
++#if defined(NETBSD1)
++#define SUPPORTED
++#include <sys/param.h>
++#include <sys/user.h>
++#include <sys/sysctl.h>
++#include <kvm.h>
++#include <stddef.h>
++#define HAVE_PTRACE_MEM
++#define PTRACE_ATTACH PT_ATTACH
++#define PTRACE_DETACH PT_DETACH
++#define PTRACE_PEEKDATA PT_READ_D
++#define HAVE_BROKEN_CTOB
++#define PTRACE_ARG3_T caddr_t
++#endif
++
++ /*
+ * SunOS 4.x has no /proc, and ptrace() peeking the u area won't give us the
+ * process memory segment sizes. Instead we must grope process information
+ * from kernel virtual memory. This requires super-user privilege.
diff --git a/security/tct/patches/patch-an b/security/tct/patches/patch-an
new file mode 100644
index 00000000000..72d95007200
--- /dev/null
+++ b/security/tct/patches/patch-an
@@ -0,0 +1,13 @@
+$NetBSD: patch-an,v 1.1.1.1 2002/01/03 10:58:57 agc Exp $
+
+--- src/fstools/makedefs 2002/01/03 10:03:47 1.1
++++ src/fstools/makedefs 2002/01/03 10:04:05
+@@ -2,6 +2,8 @@
+ RELEASE=`(uname -r) 2>/dev/null`
+
+ case "$SYSTEM.$RELEASE" in
++ NetBSD.1*) DEFS="-DNETBSD1"
++ ;;
+ FreeBSD.2*) DEFS="-DFREEBSD2"
+ ;;
+ FreeBSD.3*) DEFS="-DFREEBSD3"