From 2f4192e4d562e46aa4de08f70f4d4203e920378b Mon Sep 17 00:00:00 2001 From: araujo Date: Wed, 21 May 2008 14:42:51 +0000 Subject: - Fixed some errors introduced during the upgrade from version 0.6.1 to 0.7.0. - Bump PORTREVISION. PR: ports/123613 Reported by: pointyhat via pav Submitted by: Pauls Schmehl (maintainer) Reviewed by: araujo (myself) --- security/sguil-server/Makefile | 14 +- security/sguil-server/files/pkg-deinstall.in | 65 +++++ security/sguil-server/files/pkg-install.in | 408 +++++++++++++++++++++++++++ security/sguil-server/files/sguild.sh.in | 35 ++- 4 files changed, 508 insertions(+), 14 deletions(-) create mode 100644 security/sguil-server/files/pkg-deinstall.in create mode 100644 security/sguil-server/files/pkg-install.in (limited to 'security/sguil-server') diff --git a/security/sguil-server/Makefile b/security/sguil-server/Makefile index 1e7a93a9bf47..5c3f1b4de225 100644 --- a/security/sguil-server/Makefile +++ b/security/sguil-server/Makefile @@ -7,6 +7,7 @@ PORTNAME= sguil-server PORTVERSION= 0.7.0 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= SF MASTER_SITE_SUBDIR= sguil @@ -63,11 +64,12 @@ post-patch: @${REINPLACE_CMD} -e 's:exec tclsh:exec ${TCLSH_CMD}:g' ${WRKSRC}/server/${f} .endfor -pre-su-install: +pre-install: +.if !defined(BATCH) && !defined(PACKAGE_BUILDING) @${SETENV} ${SCRIPTS_ENV} PKG_PREFIX=${PREFIX} \ ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL - -pre-install: +.endif + @${MKDIR} ${PREFIX}/etc/${SGUILDIR} @${MKDIR} ${PREFIX}/lib/${SGUILDIR} @${MKDIR} ${PREFIX}/share/${SGUILDIR} @${MKDIR} /var/run/${SGUILDIR} @@ -88,12 +90,14 @@ do-install: ${INSTALL_DATA} ${WRKSRC}/server/sql_scripts/${f} ${PREFIX}/share/${SGUILDIR}/${f} .endfor post-install: +.if !defined(BATCH) && !defined(PACKAGE_BUILDING) + @${SETENV} ${SCRIPTS_ENV} PKG_PREFIX=${PREFIX} \ + ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL +.endif .if !defined(NOPORTDOCS) @${MKDIR} ${DOCSDIR} cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTDOCS} ${DOCSDIR} .endif - @${SETENV} PKG_PREFIX=${PREFIX} && PORTSDIR=${PORTSDIR} \ - ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL @${CAT} ${PKGMESSAGE} diff --git a/security/sguil-server/files/pkg-deinstall.in b/security/sguil-server/files/pkg-deinstall.in new file mode 100644 index 000000000000..cf76f13a2dd4 --- /dev/null +++ b/security/sguil-server/files/pkg-deinstall.in @@ -0,0 +1,65 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +USER="sguil" + +# Make sure we're in the right stage of the process +if [ "$2" = "DEINSTALL" ]; then + echo "Stopping sguild......" + %%PREFIX%%/etc/rc.d/sguild stop + %%PREFIX%%/etc/rc.d/sguild poll + if [ ! ${BATCH} ]; then + echo "Would you like to remove the sguild certs?" ; read ans + case "$ans" in + y*|Y*) + if [ -f %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.key ]; then + rm %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.key + fi + if [ -f %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.pem ]; then + rm %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.pem + fi + ;; + n*|N*) + ;; + *) + exit 64 + ;; + esac + cd %%PREFIX%%/etc/%%SGUILDIR%% || exit 1 +# Remove the conf files *if* they have not been altered + for f in autocat.conf sguild.access sguild.conf sguild.email \ + sguild.queries sguild.reports sguild.users; do + cmp -s -z ${f} ${f}-sample && rm ${f} + done +# Remove the user and group if the installer chooses to + echo "Would you like to remove the sguil user and group?" ; read ans + case "$ans" in + y*|Y*) + if pw usershow "${USER}" 2>/dev/null 1>&2; then + pw userdel -n sguil + fi + if pw groupshow "${USER}" 2>/dev/null 1>&2; then + pw groupdel -n sguil + fi + ;; + n*|N*) + ;; + *) + ;; + esac + fi +fi +if [ "$2" = "POST-DEINSTALL" ]; then + # If the user exists, then display a message + if pw usershow "${USER}" 2>/dev/null 1>&2; then + echo "To delete the '${USER}' user permanently, use 'pw userdel ${USER}'" + fi + # If the group exists, then display a message + if pw groupshow "${USER}" 2>/dev/null 1>&2; then + echo "To delete the '${USER}' group permanently, use 'pw groupdel ${USER}'" + fi +fi + +exit 0 diff --git a/security/sguil-server/files/pkg-install.in b/security/sguil-server/files/pkg-install.in new file mode 100644 index 000000000000..1661985c7251 --- /dev/null +++ b/security/sguil-server/files/pkg-install.in @@ -0,0 +1,408 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# This script and its implementation borrows heavily from the www/squid port, and I owe a debt to the +# maintainer for saving me a lot of time. The bold font trick that I use extensively was picked up +# at http://www.cyberciti.biz/nixcraft/linux/docs/uniqlinuxfeatures/lsst/ch08.html#q16 +# I also owe a debt to all those who have posted shell scripting tutorials to the web and to the FreeBSD +# developers from whose OS I stole a few tricks as well. + +# Set up some paths and variables for later use +PATH=/bin:/usr/bin:/usr/sbin:%%PREFIX%%/bin +pkgname=$1 +rootpwd='' +confdir="${PKG_PREFIX:-%%PREFIX%%}/etc" +portdir="${CURDIR:-%%CURDIR%%}" +scriptdir="${WRKSRC:-%%WRKSRC%%}/server/sql_scripts" +if [ -x /usr/sbin/nologin ]; then + nologin=/usr/sbin/nologin +else + nologin=/sbin/nologin +fi +# Source rc.conf for later +if [ -z "${source_rc_confs_defined}" ]; then + if [ -r /etc/defaults/rc.conf ]; then + . /etc/defaults/rc.conf + source_rc_confs + elif [ -r /etc/rc.conf ]; then + . /etc/rc.conf + fi +fi +sguil_user="sguil" +sguil_group="sguil" +case $2 in +PRE-INSTALL) +echo "This sguild install script creates a \"turnkey\" install " +echo "of sguild, including configuing the database and conf files" +echo "and user accounts so that sguild can be started immediately." +echo "" +echo "You may have already done all this (especially if this is an upgrade)" +echo "and may not be interested in iterating through cert creation and" +echo "everything else that the script does." +echo "" +echo "This portion of the script creates user and group accounts named \"sguil\"." +echo "Would you like to opt out of this portion of the install script " ; read ans +case "$ans" in + y*|Y*) + exit 0 + ;; + n*|N*) + ;; + *) + exit 64 + ;; +esac + echo "==> Pre-installation configuration of ${pkgname}" + if ! pw groupshow ${sguil_group} -q >/dev/null ; then + if ! pw groupadd ${sguil_group} -q; then + echo "Failed to create group \"${sguil_group}\"!" >&2 + echo "Please create it manually." >&2 + exit 1 + else + echo "Group '%{sguil-group}' created successfully." + pw groupshow ${sguil_group} + fi + fi + if ! pw usershow ${sguil_user} -q >/dev/null ; then + if ! pw useradd -q -n ${sguil_user} \ + -g ${sguil_group} -s "${nologin}" \ + -h - ; then + echo "Failed to create user '%{sguil_user}'!" >&2 + echo "Please create it manually." >&2 + exit 1 + else + echo "User '${sguil_user}' create successfully." + pw usershow ${sguil_user} + fi + fi + for dir in %%SGUILDIR%%/certs ; do + if [ ! -d ${confdir}/${dir} ]; then + echo "Creating ${confdir}/${dir} ...." + install -d -o ${sguil_user} -g ${sguil_group} \ + -m 0750 ${confdir}/${dir} + fi + done + for dir in %%PREFIX%%/lib/%%SGUILDIR%% /var/run/%%SGUILDIR%% ; do + if [ ! -d ${dir} ]; then + echo "Creating ${dir} ...." + install -d -o ${sguil_user} -g ${sguil_group} \ + -m 0750 ${dir} + fi + done + ;; +POST-INSTALL) +echo "This sguild install script creates a \"turnkey\" install " +echo "of sguild, including configuing the database and conf files" +echo "and user accounts so that sguild can be started immediately." +echo "" +echo "You may have already done all this (especially if this is an upgrade)" +echo "and may not be interested in iterating through cert creation and" +echo "everything else that the script does." +echo "" +echo "Would you like to opt out of the entire install script " +echo "and configure sguild manually yourself?" ; read ans +case "$ans" in + y*|Y*) + exit 0 + ;; + n*|N*) + ;; + *) + exit 64 + ;; +esac + echo -e "\033[1mThere are a few things that need to be done to complete the install." + echo -e "\033[0mFirst, you need to create certs so that the ssl connections between server and " + echo "sensors will work, you need to create the database, the account to access it and " + echo "the tables for the database and you need to create the directories where all the " + echo "data will be stored. (You will also need to edit the conf files for your setup.)" + echo "" + echo "If you haven't already done this, I can do it for you now." + echo "Would you like to create certs now? (y for yes, n for no)"; read ans + case "$ans" in + y*|Y*) + echo -e "\033[1mFirst we need to create a password-protected CA cert." + echo "" + echo -e "\033[0m(The Common Name should be the FQHN of your squil server.)" + openssl req -out CA.pem -new -x509 + echo "Now we need to create a server certificate/key pair." + openssl genrsa -out sguild.key 1024 + echo -e "\033[1mNow we need to create a certificate request to be signed by the CA." + echo "DO NOT password protect your server key. If you do, you will be required" + echo "to enter the password every time you start the server." + echo -e "\033[0m" + openssl req -key sguild.key -new -out sguild.req + echo "Now we need to create the actual certificate for your server." + echo 44 > file.sr1 + openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -CAserial file.sr1 -out sguild.pem + echo "Finally, we need to move the certs to the '${confdir}/%%SGUILDIR%%/certs}' directory " + echo "and clean up the port directory as well." + for files in sguild.key sguild.pem; do + mv ${portdir}/$files ${confdir}/%%SGUILDIR%%/certs/ + done + for files in CA.pem privkey.pem sguild.req file.sr1; do + rm ${portdir}/$files + done + ;; + n*|N*) + echo -e "\033[1mSSL is now required for all connections between server, sensors and clients." + echo "If you haven't already created certs, you will need to do that before sguil will work." + echo -e "\033[0m" + echo "" + ;; + *) + exit 64 + ;; + esac + echo -e "\033[1mIs the installation of mysql brand new and unaltered?" + echo -e "\033[0mBy default, when mysql is installed, it creates five accounts." + echo "None of those accounts are protected by passwords. That needs to be corrected." + echo "The five accounts are:" + echo " root@localhost" + echo " root@127.0.0.1" + echo " root@`hostname`" + echo " @localhost" + echo " @`hostname`" + echo "I can remove all of the accounts except root@localhost (highly recommended) " + echo "and I can set the password for the root@localhost account. (If you get an error " + echo "don't worry about it. The account may not have been created to begin with." + echo "Would you like me to do that now?" ; read ans + case "$ans" in + y*|Y*) + echo "Enabling mysql in /etc/rc.conf and starting the server....." + case ${mysql_enable} in + [Yy][Ee][Ss]) + echo -e "\033[1mIt appears that mysql is already enabled!" + echo -e "\033[0m" + ;; + *) + echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf + echo "mysql_enable=\"YES\"" >> /etc/rc.conf + ;; + esac + mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'` + echo "The mysql pid is ${mysql_pid}...." + if [ -z ${mysql_pid} ]; then + %%PREFIX%%/etc/rc.d/mysql-server start + fi + sleep 1 + mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'` + if [ -s ${mysql_pid} ]; then + echo "The mysql server did not start. Please fix the problem " + echo "and run this script again." + exit 64 + fi + echo "Deleting users from mysql......" + mysql -u root -e "USE mysql; DROP USER 'root'@'127.0.0.1';" + mysql -u root -e "USE mysql; DROP USER 'root'@'`hostname`';" + mysql -u root -e "USE mysql; DROP USER ''@'localhost';" + mysql -u root -e "USE mysql; DROP USER ''@'`hostname`';" + echo "All done deleting......." + echo "What would you like root@localhost's password to be?" ; read rootpwd + mysql -u root -e "USE mysql; SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$rootpwd');" + mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES;" + ;; + n*|N*) + echo "Before you use the database, you should at least set passwords" + echo "for all the accounts. Otherwise anyone can login to your database." + echo "To remove an account, use \"drop user 'user'@'host'\"." + echo "To set a password for an account, use \"SET PASSWORD FOR 'user'@'host' = PASSWORD('passwd')\"." + ;; + *) + exit 64 + ;; + esac + echo -e "\033[1mWould you like to bind mysql to localhost so it only listens on that address?" + echo -e "\033[0m" ; read ans + case "$ans" in + y*|Y*) + if [ ! -f /etc/my.cnf ]; then + echo "[mysqld]" >> /etc/my.cnf + echo "bind-address=127.0.0.1" >> /etc/my.cnf + echo "socket=/tmp/mysql.sock" >> /etc/my.cnf + echo "ft_min_word_len=3" >> /etc/my.cnf + mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'` + echo "The mysql pid is ${mysql_pid}...." + if [ -z ${mysql_pid} ]; then + %%PREFIX%%/etc/rc.d/mysql-server start + else + %%PREFIX%%/etc/rc.d/mysql-server restart + fi + else + echo "/etc/my.cnf already exists!" + echo "add \"bind-address=127.0.0.1\" in the [mysqld] section " + echo "to force mysql to listen only on localhost." + echo "Then restart the server to accept the new settings." + fi + ;; + n*|N*) + ;; + *) + exit 64 + ;; + esac + echo -e "\033[1mWould you like to create the database to store all nsm data?" + echo -e "\033[0m" ; read ans + echo "NOTE: If you're upgrading, you do NOT want to do this! You want to upgrade." + case "$ans" in + y*|Y*) + if [ -z ${rootpwd} ]; then + echo "What is the password for the mysql root user?"; read rootpwd + fi + mysql -u root -p${rootpwd} -e "create database sguildb" + mysql -u root -p${rootpwd} -D sguildb < ${scriptdir}/create_sguildb.sql + ;; + n*|N*) + echo -e "\033[1mPlease note: if you are upgrading from a previous version " + echo "of sguil, you need to run the upgrade_0.7.tcl script located in " + echo "'${scriptdir}'." + echo -e "\033[0mIf you've already cleaned the port directory, run " + echo "make extract to recover the files and access the script." + echo "" + ;; + *) + exit 64 + ;; + esac + echo -e "\033[1mWould you like to create a user \"sguild@localhost\" for database access?" + echo -e "\033[0m" ; read ans + case "$ans" in + y*|Y*) + if [ -z ${rootpwd} ]; then + echo "Please enter the password for the mysql root account." ; read rootpwd + fi + echo -e "\033[1mPlease enter the password that you want to use for the sguild account." + echo -e "\033[0m"; read sguildpwd + echo "Creating account for sguild with access to sguildb....." + mysql -u root -p${rootpwd} -e "GRANT ALTER,CREATE,DELETE,DROP,INDEX,INSERT,SELECT,UPDATE on sguildb.* \ + to 'sguild'@'localhost' IDENTIFIED BY '${sguildpwd}'" + mysql -u root -p${rootpwd} -e "GRANT FILE on *.* to 'sguild'@'localhost'" + mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES" + ;; + n*|N*) + ;; + *) + exit 64 + ;; + esac + echo -e "\033[1mWould you like to create the data directory and all its subdirectories?" + echo -e "\033[0m"; read ans + case "$ans" in + y*|Y*) + echo "What do you want the name of the main directory to be?" + echo "(Be sure to include the full path to the directory - e.g. /var/nsm)" ; read maindir + echo "The main directory will be named '${maindir}'." + for dir in ${maindir} ${maindir}/archives ${maindir}/rules ${maindir}/load ; do + if [ ! -d ${dir} ]; then + echo "Creating ${dir} ...." + install -d -o ${sguil_user} -g ${sguil_group} \ + -m 0750 ${dir} + else + echo -e "\033[1mThe directory '${dir}' already exists!" + echo -e "\033[0m" + fi + done + ;; + n*|N*) + ;; + *) + exit 64 + ;; + esac + echo -e "\033[1mWould you like to enable sguild in /etc/rc.conf?" + echo -e "\033[0m"; read ans + case "$ans" in + y*|Y*) + case ${sguild_enable} in + [Yy][Ee][Ss]) + echo -e "\033[1mIt appears that sguild is already enabled!" + echo -e "\033[0m" + ;; + *) + echo -e i"\033[1mWriting to /etc/rc.conf...." + echo -e "\033[0m" + echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf + echo "sguild_enable=\"YES\"" >> /etc/rc.conf + ;; + esac + ;; + n*|N*) + ;; + *) + exit 64 + ;; + esac + echo -e "\033[1mIf the sguild.conf file does not exist, I will create and edit it now." + echo -e "\033[0m" + if [ -f ${confdir}/%%SGUILDIR%%/sguild.conf ]; then + echo "The sguild.conf file already exists!" + echo "Do you want me to edit it anyway?" ; read ans + case "$ans" in + y*|Y*) + echo -e "\033[1mPreparing to edit the sguild.conf file......" + if [ -z ${maindir} ]; then + echo "There's a couple of things I need to verify before continuing." + echo "What is the name of the main nsm directory that you are using?" + echo -e "\033[0m" ; read ans + maindir="$ans" + fi + if [ -z ${sguildpwd} ]; then + echo -e "\033[1mWhat is the password for the sguild database user?" + echo -e "\033[0m" ; read ans + sguildpwd="$ans" + fi + sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \ + -e 's|sguild_data|'"${maindir}"'|' \ + < ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf + ;; + n*|N*) + ;; + *) + exit 64 + ;; + esac + else + echo -e "\033[1mPreparing to edit the sguild.conf file......" + if [ -z ${maindir} ]; then + echo "There's a couple of things I need to verify before continuing." + echo "What is the name of the main nsm directory that you are using?" + echo -e "\033[0m" ; read ans + maindir="$ans" + fi + if [ -z ${sguildpwd} ]; then + echo -e "\033[1mWhat is the password for the sguild database user?" + echo -e "\033[0m" ; read ans + sguildpwd="$ans" + fi + sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \ + -e 's|sguild_data|'"${maindir}"'|' \ + < ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf + fi + if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.users ]; then + cp ${confdir}/%%SGUILDIR%%/sguild.users-sample ${confdir}/%%SGUILDIR%%/sguild.users + fi + if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.access ]; then + cp ${confdir}/%%SGUILDIR%%/sguild.access-sample ${confdir}/%%SGUILDIR%%/sguild.access + fi + echo -e "\033[1mYou still need to review all the conf files and configure sguil " + echo "per your desired setup before starting sguild. Refer to the port docs in " + echo "%%DOCSDIR%% before proceeding." + echo -e "\033[0m" + echo "Right now, all the conf files except sguild.conf are set to the defaults." + for files in archive_sguildb.tcl sguild incident_report.tcl ; do + if [ -f %%PREFIX%%/bin/${files} ]; then + chown ${sguil_user}:${sguil_group} %%PREFIX%%/bin/${files} + fi + done + if [ ! -f %%PREFIX%%/bin/sguild ]; then + echo "Sguild is missing! Please correct the problem before continuing!" + exit 1 + fi + ;; +*) + exit 64 + ;; +esac +exit 0 diff --git a/security/sguil-server/files/sguild.sh.in b/security/sguil-server/files/sguild.sh.in index 436ebd2dc87a..f54ad98d4e5a 100644 --- a/security/sguil-server/files/sguild.sh.in +++ b/security/sguil-server/files/sguild.sh.in @@ -9,26 +9,43 @@ # Add the following lines to /etc/rc.conf to enable sguild: # sguild_enable (bool): Set to YES to enable sguild # Default: NO +# The following commandline arguments are available for sguild +# " -c : PATH to the sguild config (sguild.conf) file." +# " -a : PATH to the autocat config (autocat.conf) file." +# " -g : PATH to the sguild global queries (sguild.queries) file." +# " -u : PATH to the sguild users (sguild.users) file." +# " -P : Name of file to write the PID to." +# " Default is /var/run/%%SGUILDIR%%/sguild.pid" +# " -l : PATH to sguild libraries." +# " -O : Define PATH to tls (tcl openssl) lib (libtls1.x.so)" +# " -C : Directory that contains sguild.pem and sguild.key" +# " -D Runs sguild in daemon mode." +# " -A : PATH to sguild.access file." +# " -d <0|1|2>: Set DEBUG level" # sguild_flags (str): Extra flags passed to sguild -# Default: -D +# Default: -D -P ${pid} # sguild_conf (str): Sguild configuration file # Default: %%PREFIX%%/etc/%%SGUILDIR%%/sguild.conf +# sguild_user (str): Default: sguild +# Note: this value MUST be set in /etc/rc.conf if you do not accept the default +# user created by the pkg-install script . %%RC_SUBR%% +load_rc_config sguild +# set some defaults +sguild_enable=${sguild_enable:-"NO"} +sguild_conf=${sguild_conf:-"/%%PREFIX%%/etc/%%SGUILDIR%%/sguild.conf"} +pid=${pid:-"/var/run/%%SGUILDIR%%/sguild.pid"} +sguild_flags=${sguild_flags:-"-D -P ${pid}"} +sguild_user=${sguild_user:-"sguil"} + name="sguild" rcvar=`set_rcvar` - command="%%PREFIX%%/bin/${name}" +command_args="-c ${sguild_conf} ${sguild_flags}" procname="%%TCLSH%%" check_process="${procname}" sguild_user="sguil" -pid="/var/run/%%SGUILDIR%%/${name}.pid" - -sguild_enable=${sguild_enable-NO} -sguild_conf=${sguild_conf-%%PREFIX%%/etc/%%SGUILDIR%%/sguild.conf} -sguild_flags=${sguild_flags--D -P ${pid}} -[ -n "$sguild_conf" ] && sguild_flags="$sguild_flags -c $sguild_conf" -load_rc_config ${name} run_rc_command "$1" -- cgit