From owner-freebsd-ports-bugs@FreeBSD.ORG Fri Apr 11 03:50:05 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC8BB1065676 for ; Fri, 11 Apr 2008 03:50:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C202F8FC23 for ; Fri, 11 Apr 2008 03:50:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m3B3o4oZ074949 for ; Fri, 11 Apr 2008 03:50:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m3B3o4ie074948; Fri, 11 Apr 2008 03:50:04 GMT (envelope-from gnats) Resent-Date: Fri, 11 Apr 2008 03:50:04 GMT Resent-Message-Id: <200804110350.m3B3o4ie074948@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Paul Scmehl Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AF81106567E for ; Fri, 11 Apr 2008 03:40:04 +0000 (UTC) (envelope-from root@utd65257.utdallas.edu) Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) by mx1.freebsd.org (Postfix) with ESMTP id DDA858FC15 for ; Fri, 11 Apr 2008 03:40:03 +0000 (UTC) (envelope-from root@utd65257.utdallas.edu) Received: by utd65257.utdallas.edu (Postfix, from userid 0) id 5BC1434781C; Thu, 10 Apr 2008 22:23:44 -0500 (CDT) Message-Id: <20080411032344.5BC1434781C@utd65257.utdallas.edu> Date: Thu, 10 Apr 2008 22:23:44 -0500 (CDT) From: Paul Scmehl To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/122647: security/sguil-server, port upgrade, new version X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Paul Scmehl List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2008 03:50:05 -0000 >Number: 122647 >Category: ports >Synopsis: security/sguil-server, port upgrade, new version >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Fri Apr 11 03:50:04 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Paul Scmehl >Release: FreeBSD 7.0-STABLE i386 >Organization: University of Texas at Dallas >Environment: System: FreeBSD hostname.utdallas.edu 7.0-STABLE FreeBSD 7.0-STABLE #4: Mon Apr 7 15:22:19 CDT 2008 root@hostname.utdallas.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: This PR updates the security/sguil-server port to the new version - 0.7.0 Committer: Please note - there are three sguil port; server, sensor & client All three must be updated at the same time. Please do not commit this update without also committing the other two. In addition, a repocopy of security/barnyard-sguil6 to security/barnyard-squil is required in order for the sensor port to work. So all four changes must be committed at the same time. >How-To-Repeat: >Fix: --- patch-Makefile begins here --- --- Makefile.orig 2007-01-16 06:45:12.000000000 -0600 +++ Makefile 2008-04-10 21:06:48.000000000 -0500 @@ -6,8 +6,7 @@ # PORTNAME= sguil-server -PORTVERSION= 0.6.1 -PORTREVISION= 1 +PORTVERSION= 0.7.0 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= sguil @@ -18,7 +17,6 @@ RUN_DEPENDS= p0f:${PORTSDIR}/net-mgmt/p0f \ tcpflow:${PORTSDIR}/net/tcpflow \ dtplite:${PORTSDIR}/devel/tcllib \ - barnyard:${PORTSDIR}/security/barnyard-sguil6 \ ${LOCALBASE}/lib/tclx8.4/tclx.tcl:${PORTSDIR}/lang/tclX LIB_DEPENDS= tls:${PORTSDIR}/devel/tcltls @@ -29,24 +27,33 @@ WRKSRC= ${WRKDIR}/sguil-${PORTVERSION} PATCH_WRKSRC= ${WRKSRC}/server PLIST_SUB= SGUILDIR=${SGUILDIR} -SUB_FILES= pkg-message -SUB_LIST= SGUILDIR=${SGUILDIR} TCLSH=${TCLSH_CMD} -LIBRARIES= SguildAccess.tcl SguildEvent.tcl SguildReportBuilder.tcl \ - SguildAutoCat.tcl SguildGenericDB.tcl SguildSendComms.tcl \ +SUB_FILES= pkg-message pkg-install pkg-deinstall +SUB_LIST= SGUILDIR=${SGUILDIR} TCLSH=${TCLSH_CMD} CURDIR=${.CURDIR} \ + WRKSRC=${WRKSRC} DOCSDIR=${DOCSDIR} +LIBRARIES= SguildAccess.tcl SguildGenericDB.tcl SguildReportBuilder.tcl \ + SguildAutoCat.tcl SguildGenericEvent.tcl SguildSendComms.tcl \ SguildClientCmdRcvd.tcl SguildHealthChecks.tcl SguildSensorAgentComms.tcl \ SguildConnect.tcl SguildLoaderd.tcl SguildSensorCmdRcvd.tcl \ SguildCreateDB.tcl SguildMysqlMerge.tcl SguildTranscript.tcl \ - SguildEmailEvent.tcl SguildQueryd.tcl SguildUtils.tcl -SCRIPTS= create_ruledb.sql update_sguildb_v10-v11.sql update_sguildb_v8-v9.sql \ - create_sguildb.sql update_sguildb_v5-v6.sql update_sguildb_v9-v10.sql \ - migrate_event.tcl update_sguildb_v6-v7.sql migrate_sancp.tcl update_sguildb_v7-v8.sql + SguildEmailEvent.tcl SguildPadsLib.tcl SguildUtils.tcl \ + SguildEvent.tcl SguildQueryd.tcl +SCRIPTS= create_ruledb.sql update_0.7.tcl update_sguildb_v7-v8.sql \ + create_sguildb.sql update_sguildb_v10-v11.sql update_sguildb_v8-v9.sql \ + migrate_event.tcl update_sguildb_v11-v12.sql update_sguildb_v9-v10.sql \ + migrate_sancp.tcl update_sguildb_v5-v6.sql sancp_cleanup.tcl update_sguildb_v6-v7.sql CONFS= autocat.conf sguild.access sguild.conf sguild.email sguild.queries sguild.reports sguild.users -PORTDOCS= CHANGES INSTALL INSTALL.openbsd LICENSE.QPL \ - OPENSSL.README TODO USAGE sguildb.dia +PORTDOCS= CHANGES FAQ INSTALL INSTALL.openbsd LICENSE.QPL \ + OPENSSL.README TODO UPGRADE USAGE sguildb.dia + +OPTIONS= MYSQL50 "Install mysql50 server" off .include +.if defined(WITH_MYSQL50) +RUN_DEPENDS+= ${LOCALBASE}/libexec/mysqld:${PORTSDIR}/databases/mysql50-server +.endif + MYSQLTCL_VER!= cd ${PORTSDIR}/databases/mysqltcl && ${MAKE} -V PORTVERSION RUN_DEPENDS+= ${LOCALBASE}/lib/mysqltcl-${MYSQLTCL_VER}:${PORTSDIR}/databases/mysqltcl @@ -56,10 +63,15 @@ @${REINPLACE_CMD} -e 's:exec tclsh:exec ${TCLSH_CMD}:g' ${WRKSRC}/server/${f} .endfor -do-install: - @${MKDIR} ${PREFIX}/etc/${SGUILDIR} +pre-su-install: + @${SETENV} ${SCRIPTS_ENV} PKG_PREFIX=${PREFIX} \ + ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL + +pre-install: @${MKDIR} ${PREFIX}/lib/${SGUILDIR} @${MKDIR} ${PREFIX}/share/${SGUILDIR} + @${MKDIR} /var/run/${SGUILDIR} +do-install: .for f in archive_sguildb.tcl sguild ${INSTALL_SCRIPT} -m 751 ${WRKSRC}/server/${f} ${PREFIX}/bin/${f} .endfor @@ -80,6 +92,9 @@ @${MKDIR} ${DOCSDIR} cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTDOCS} ${DOCSDIR} .endif + @${SETENV} PKG_PREFIX=${PREFIX} && PORTSDIR=${PORTSDIR} \ + ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL + @${CAT} ${PKGMESSAGE} .include --- patch-Makefile ends here --- --- patch-distinfo begins here --- --- distinfo.orig 2006-10-30 20:43:25.000000000 -0600 +++ distinfo 2008-04-10 21:06:48.000000000 -0500 @@ -1,3 +1,3 @@ -MD5 (sguil-server-0.6.1.tar.gz) = 27decbe3c6528bf2c86c74b35b8f7b3b -SHA256 (sguil-server-0.6.1.tar.gz) = 22aea8f76da0530ae7ee9a68efe1de7615bec47a7702c93f8fe338d57590ce57 -SIZE (sguil-server-0.6.1.tar.gz) = 92901 +MD5 (sguil-server-0.7.0.tar.gz) = 2ba67b1a98ed92f43072ecd98d9e15eb +SHA256 (sguil-server-0.7.0.tar.gz) = 8ed845779c516b7bcb092454d339a26bca69f52689f9f07831fb41a3efe58809 +SIZE (sguil-server-0.7.0.tar.gz) = 103440 --- patch-distinfo ends here --- --- patch-pkg-plist begins here --- --- pkg-plist.orig 2006-10-30 20:43:25.000000000 -0600 +++ pkg-plist 2008-04-10 21:06:48.000000000 -0500 @@ -16,9 +16,11 @@ lib/%%SGUILDIR%%/SguildEmailEvent.tcl lib/%%SGUILDIR%%/SguildEvent.tcl lib/%%SGUILDIR%%/SguildGenericDB.tcl +lib/%%SGUILDIR%%/SguildGenericEvent.tcl lib/%%SGUILDIR%%/SguildHealthChecks.tcl lib/%%SGUILDIR%%/SguildLoaderd.tcl lib/%%SGUILDIR%%/SguildMysqlMerge.tcl +lib/%%SGUILDIR%%/SguildPadsLib.tcl lib/%%SGUILDIR%%/SguildQueryd.tcl lib/%%SGUILDIR%%/SguildReportBuilder.tcl lib/%%SGUILDIR%%/SguildSendComms.tcl @@ -30,12 +32,16 @@ share/%%SGUILDIR%%/create_sguildb.sql share/%%SGUILDIR%%/migrate_event.tcl share/%%SGUILDIR%%/migrate_sancp.tcl +share/%%SGUILDIR%%/sancp_cleanup.tcl +share/%%SGUILDIR%%/update_0.7.tcl share/%%SGUILDIR%%/update_sguildb_v5-v6.sql share/%%SGUILDIR%%/update_sguildb_v6-v7.sql share/%%SGUILDIR%%/update_sguildb_v7-v8.sql share/%%SGUILDIR%%/update_sguildb_v8-v9.sql share/%%SGUILDIR%%/update_sguildb_v9-v10.sql share/%%SGUILDIR%%/update_sguildb_v10-v11.sql -@dirrm share/%%SGUILDIR%% -@unexec if [ ! -f %D/etc/%%SGUILDIR%%/sguild.conf ] ; then rmdir %D/etc/%%SGUILDIR%%; fi +share/%%SGUILDIR%%/update_sguildb_v11-v12.sql +@dirrmtry etc/%%SGUILDIR%%/certs +@unexec if [ ! -f %D/etc/%%SGUILDIR%%/sguild.conf ] && [ ! -d %D/etc/%%SGUILDIR%%/certs ] ; then rmdir %D/etc/%%SGUILDIR%%; fi @dirrm lib/%%SGUILDIR%% +@dirrm share/%%SGUILDIR%% --- patch-pkg-plist ends here --- --- patch-files-pkg-message.in begins here --- --- files/pkg-message.in.orig 2006-10-30 20:43:25.000000000 -0600 +++ files/pkg-message.in 2008-04-10 21:06:48.000000000 -0500 @@ -2,11 +2,21 @@ * !!!!!!!!!!! WARNING !!!!!!!!!!! * *********************************** +PLEASE NOTE: If you are upgrading from a previous version, +read the UPGRADE doc (in %%DOCSDIR%%) before proceeding!!! +Some noteworthy changes in version 0.7.0: +SSL is now required for server, sensor and client. +The sguild.conf and sguild.email files have changed. +You MUST run the upgrade_0.7.tcl script to clean up and +prepare the database before running the new version. BE SURE +TO BACK UP YOUR DATABASE BEFORE PROCEEDING!!! + If you had existing config files in %%PREFIX%%/etc/%%SGUILDIR%% they were not overwritten. If this is a first time install, you must copy the sample files to the corresponding conf file and edit the various config files for your site. See the INSTALL -doc in %%DOCSDIR%% for details. +doc in %%DOCSDIR%% for details. If this is an upgrade, replace +your existing conf file with the new one and edit accordingly. The sql scripts for creating database tables were placed in the %%PREFIX%%/share/%%SGUILDIR%%/ directory. PLEASE @@ -23,8 +33,12 @@ %%PREFIX%%/etc/rc.d/. To enable it, edit /etc/rc.conf per the instructions in the script. +NOTE: Sguild now runs under the sguil user account not root! + For general questions, see the sguil faq: -http://sguil.sourceforge.net/index.php?page=faq +http://www.vorant.com/nsmwiki/Sguil_FAQ or visit the nsm wiki: +http://www.vorant.com/nsmwiki/Main_Page + For detailed install instructions see Richard Bejtlich's excellent guide at his blog: http://taosecurity.blogspot.com/2006/03/new-sguil-scripts-and-vm-i-have-not.html --- patch-files-pkg-message.in ends here --- --- patch-files-sguild begins here --- --- files/patch-sguild.orig 2006-10-30 20:43:25.000000000 -0600 +++ files/patch-sguild 2008-04-10 21:06:48.000000000 -0500 @@ -1,15 +1,15 @@ ---- sguild.orig Tue Mar 28 04:36:05 2006 -+++ sguild Tue Mar 28 04:37:10 2006 -@@ -229,7 +229,7 @@ - package require tls - # Check for certs - if {![info exists CERTS_PATH]} { +--- sguild.orig 2008-04-08 22:02:24.000000000 -0500 ++++ sguild 2008-04-08 22:09:11.000000000 -0500 +@@ -235,7 +235,7 @@ + # Check for certs + if {![info exists CERTS_PATH]} { + - set CERTS_PATH /etc/sguild/certs + set CERTS_PATH /usr/local/etc/sguil-server/certs - } - if {![file exists $CERTS_PATH] || ![file isdirectory $CERTS_PATH]} { - puts "ERROR: $CERTS_PATH does not exist or is not a directory" -@@ -251,13 +251,13 @@ + + } + +@@ -265,13 +265,13 @@ if { ![info exists CONF_FILE] } { # No conf file specified check the defaults @@ -26,7 +26,7 @@ DisplayUsage $argv0 } } -@@ -338,17 +338,17 @@ +@@ -354,17 +354,17 @@ # Check for a valid USERS file if { ![info exists USERS_FILE] } { # No users file was specified. Go with the defaults @@ -48,7 +48,7 @@ DisplayUsage $argv0 } } -@@ -376,8 +376,8 @@ +@@ -392,8 +392,8 @@ # Load accessfile if { ![info exists ACCESS_FILE] } { # Check the defaults @@ -59,7 +59,7 @@ } elseif { [file exists ./sguild.access] } { set ACCESS_FILE "./sguild.access" } else { -@@ -391,8 +391,8 @@ +@@ -407,8 +407,8 @@ } # Load auto cat config if { ![info exists AUTOCAT_FILE] } { @@ -70,7 +70,7 @@ } else { set AUTOCAT_FILE "./autocat.conf" } -@@ -402,8 +402,8 @@ +@@ -418,8 +418,8 @@ } # Load email config file if { ![info exists EMAIL_FILE] } { @@ -81,7 +81,7 @@ } else { set EMAIL_FILE "./sguild.email" } -@@ -415,8 +415,8 @@ +@@ -431,8 +431,8 @@ } # Load global queries. if { ![info exists GLOBAL_QRY_FILE] } { @@ -92,7 +92,7 @@ } else { set GLOBAL_QRY_FILE "./sguild.queries" } -@@ -428,8 +428,8 @@ +@@ -444,8 +444,8 @@ } # Load report queries. if { ![info exists REPORT_QRY_FILE] } { --- patch-files-sguild ends here --- --- patch-files-sguild.access begins here --- --- files/patch-sguild.access.orig 2006-10-30 20:43:25.000000000 -0600 +++ files/patch-sguild.access 2008-04-10 21:06:48.000000000 -0500 @@ -1,12 +1,12 @@ ---- sguild.access.orig Tue Mar 28 03:36:31 2006 -+++ sguild.access Tue Mar 28 03:37:44 2006 +--- sguild.access.orig 2008-04-03 17:55:46.000000000 -0500 ++++ sguild.access 2008-04-03 17:56:50.000000000 -0500 @@ -4,7 +4,8 @@ # This file is used by sguild for access control. It is read upon init # # or when sguild receives a HUP signal. # # # -# By default, sguild will look first for /etc/sguild/sguild.access, # +# By default, sguild will look first for # -+# /usrlocal//etc/sguild/sguild.access, # ++# /usr/local/etc/sguild/sguild.access, # # then ./sguild.access unless the -A /path/to/sguild.access switch # # is used. # # # --- patch-files-sguild.access ends here --- --- patch-files-sguild.conf begins here --- --- files/patch-sguild.conf.orig 2006-10-30 20:43:25.000000000 -0600 +++ files/patch-sguild.conf 2008-04-10 21:06:48.000000000 -0500 @@ -1,41 +1,28 @@ -*** sguild.conf.orig Tue Mar 28 02:38:13 2006 ---- sguild.conf Tue Mar 28 02:39:47 2006 -*************** -*** 2,6 **** - - # Path the sguild libs -! set SGUILD_LIB_PATH ./lib - - # DEBUG 0=off 1=important stuff 2=everything. Option 2 is VERY chatty. ---- 2,6 ---- - - # Path the sguild libs -! set SGUILD_LIB_PATH /usr/local/lib/sguil-server/ - - # DEBUG 0=off 1=important stuff 2=everything. Option 2 is VERY chatty. -*************** -*** 61,65 **** - # You MUST have tcpflow installed to get xscripts - # http://www.circlemud.org/~jelson/software/tcpflow/ -! set TCPFLOW "/usr/bin/tcpflow" - - # p0f - (C) Michal Zalewski , William Stearns ---- 61,65 ---- - # You MUST have tcpflow installed to get xscripts - # http://www.circlemud.org/~jelson/software/tcpflow/ -! set TCPFLOW "/usr/local/bin/tcpflow" - - # p0f - (C) Michal Zalewski , William Stearns -*************** -*** 72,76 **** - # Path the the p0f binary. Switches -q and -s are appended on exec, - # add any others you may need here. -! set P0F_PATH "/usr/sbin/p0f" - - # Email config moved to sguild.email ---- 72,76 ---- - # Path the the p0f binary. Switches -q and -s are appended on exec, - # add any others you may need here. -! set P0F_PATH "/usr/local/bin/p0f" - - # Email config moved to sguild.email +--- sguild.conf.orig 2008-04-03 17:47:18.000000000 -0500 ++++ sguild.conf 2008-04-03 17:53:11.000000000 -0500 +@@ -1,7 +1,7 @@ + # $Id: sguild.conf,v 1.29 2006/06/02 20:40:57 bamm Exp $ # + + # Path the sguild libs +-set SGUILD_LIB_PATH ./lib ++set SGUILD_LIB_PATH /usr/local/lib/sguil-server + + # DEBUG 0=off 1=important stuff 2=everything. Option 2 is VERY chatty. + set DEBUG 2 +@@ -63,7 +63,7 @@ + + # You MUST have tcpflow installed to get xscripts + # http://www.circlemud.org/~jelson/software/tcpflow/ +-set TCPFLOW "/usr/bin/tcpflow" ++set TCPFLOW "/usr/local/bin/tcpflow" + + # p0f - (C) Michal Zalewski , William Stearns + # If you have p0f (a passive OS fingerprinting system) installed, you can have +@@ -74,6 +74,6 @@ + + # Path the the p0f binary. Switches -q and -s are appended on exec, + # add any others you may need here. +-set P0F_PATH "/usr/sbin/p0f" ++set P0F_PATH "/usr/local/bin/p0f" + + # Email config moved to sguild.email --- patch-files-sguild.conf ends here --- --- patch-files-sguild.sh.in begins here --- --- files/sguild.sh.in.orig 2007-02-26 17:02:04.000000000 -0600 +++ files/sguild.sh.in 2008-04-10 21:06:48.000000000 -0500 @@ -21,12 +21,13 @@ command="%%PREFIX%%/bin/${name}" procname="%%TCLSH%%" -pidfile="/var/run/${name}.pid" -check_pidfile="${pidfile} ${procname} /bin/sh" +check_process="${procname}" +sguild_user="sguil" +pid="/var/run/%%SGUILDIR%%/${name}.pid" sguild_enable=${sguild_enable-NO} sguild_conf=${sguild_conf-%%PREFIX%%/etc/%%SGUILDIR%%/sguild.conf} -sguild_flags=${sguild_flags--D} +sguild_flags=${sguild_flags--D -P ${pid}} [ -n "$sguild_conf" ] && sguild_flags="$sguild_flags -c $sguild_conf" load_rc_config ${name} --- patch-files-sguild.sh.in ends here --- --- pkg-install.in begins here --- #!/bin/sh # # $FreeBSD$ # echo "This sguild install script creates a \"turnkey\" install " echo "of sguild, including configuing the database and conf files" echo "and user accounts so that sguild can be started immediately." echo "" echo "You may have already done all this (especially if this is an upgrade)" echo "and may not be interested in iterating through cert creation and" echo "everything else that the script does." echo "" echo "Would you like to opt out of the entire install script " echo "and configure sguild manually yourself?" ; read ans case "$ans" in y*|Y*) exit 0 ;; n*|N*) ;; *) exit 64 ;; esac # This script and its implementation borrows heavily from the www/squid port, and I owe a debt to the # maintainer for saving me a lot of time. The bold font trick that I use extensively was picked up # at http://www.cyberciti.biz/nixcraft/linux/docs/uniqlinuxfeatures/lsst/ch08.html#q16 # I also owe a debt to all those who have posted shell scripting tutorials to the web and to the FreeBSD # developers from whose OS I stole a few tricks as well. # Set up some paths and variables for later use PATH=/bin:/usr/bin:/usr/sbin:%%PREFIX%%/bin pkgname=$1 rootpwd='' confdir="${PKG_PREFIX:-%%PREFIX%%}/etc" portdir="${CURDIR:-%%CURDIR%%}" scriptdir="${WRKSRC:-%%WRKSRC%%}/server/sql_scripts" if [ -x /usr/sbin/nologin ]; then nologin=/usr/sbin/nologin else nologin=/sbin/nologin fi # Source rc.conf for later if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi sguil_user="sguil" sguil_group="sguil" case $2 in PRE-INSTALL) echo "==> Pre-installation configuration of ${pkgname}" if ! pw groupshow ${sguil_group} -q >/dev/null ; then if ! pw groupadd ${sguil_group} -q; then echo "Failed to create group \"${sguil_group}\"!" >&2 echo "Please create it manually." >&2 exit 1 else echo "Group '%{sguil-group}' created successfully." pw groupshow ${sguil_group} fi fi if ! pw usershow ${sguil_user} -q >/dev/null ; then if ! pw useradd -q -n ${sguil_user} \ -g ${sguil_group} -s "${nologin}" \ -h - ; then echo "Failed to create user '%{sguil_user}'!" >&2 echo "Please create it manually." >&2 exit 1 else echo "User '${sguil_user}' create successfully." pw usershow ${sguil_user} fi fi for dir in %%SGUILDIR%% %%SGUILDIR%%/certs ; do if [ ! -d ${confdir}/${dir} ]; then echo "Creating ${confdir}/${dir} ...." install -d -o ${sguil_user} -g ${sguil_group} \ -m 0750 ${confdir}/${dir} fi done for dir in %%PREFIX%%/lib/%%SGUILDIR%% /var/run/%%SGUILDIR%% ; do if [ ! -d ${dir} ]; then echo "Creating ${dir} ...." install -d -o ${sguil_user} -g ${sguil_group} \ -m 0750 ${dir} fi done ;; POST-INSTALL) echo -e "\033[1mThere are a few things that need to be done to complete the install." echo -e "\033[0mFirst, you need to create certs so that the ssl connections between server and " echo "sensors will work, you need to create the database, the account to access it and " echo "the tables for the database and you need to create the directories where all the " echo "data will be stored. (You will also need to edit the conf files for your setup.)" echo "" echo "If you haven't already done this, I can do it for you now." echo "Would you like to create certs now? (y for yes, n for no)"; read ans case "$ans" in y*|Y*) echo -e "\033[1mFirst we need to create a password-protected CA cert." echo "" echo -e "\033[0m(The Common Name should be the FQHN of your squil server.)" openssl req -out CA.pem -new -x509 echo "Now we need to create a server certificate/key pair." openssl genrsa -out sguild.key 1024 echo -e "\033[1mNow we need to create a certificate request to be signed by the CA." echo "DO NOT password protect your server key. If you do, you will be required" echo "to enter the password every time you start the server." echo -e "\033[0m" openssl req -key sguild.key -new -out sguild.req echo "Now we need to create the actual certificate for your server." echo 44 > file.sr1 openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -CAserial file.sr1 -out sguild.pem echo "Finally, we need to move the certs to the '${confdir}/%%SGUILDIR%%/certs}' directory " echo "and clean up the port directory as well." for files in sguild.key sguild.pem; do mv ${portdir}/$files ${confdir}/%%SGUILDIR%%/certs/ done for files in CA.pem privkey.pem sguild.req file.sr1; do rm ${portdir}/$files done ;; n*|N*) echo -e "\033[1mSSL is now required for all connections between server, sensors and clients." echo "If you haven't already created certs, you will need to do that before sguil will work." echo -e "\033[0m" echo "" ;; *) exit 64 ;; esac echo -e "\033[1mIs the installation of mysql brand new and unaltered?" echo -e "\033[0mBy default, when mysql is installed, it creates five accounts." echo "None of those accounts are protected by passwords. That needs to be corrected." echo "The five accounts are:" echo " root@localhost" echo " root@127.0.0.1" echo " root@`hostname`" echo " @localhost" echo " @`hostname`" echo "I can remove all of the accounts except root@localhost (highly recommended) " echo "and I can set the password for the root@localhost account. (If you get an error " echo "don't worry about it. The account may not have been created to begin with." echo "Would you like me to do that now?" ; read ans case "$ans" in y*|Y*) echo "Enabling mysql in /etc/rc.conf and starting the server....." case ${mysql_enable} in [Yy][Ee][Ss]) echo -e "\033[1mIt appears that mysql is already enabled!" echo -e "\033[0m" ;; *) echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf echo "mysql_enable=\"YES\"" >> /etc/rc.conf ;; esac mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'` echo "The mysql pid is ${mysql_pid}...." if [ -z ${mysql_pid} ]; then %%PREFIX%%/etc/rc.d/mysql-server start fi sleep 1 mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'` if [ -s ${mysql_pid} ]; then echo "The mysql server did not start. Please fix the problem " echo "and run this script again." exit 64 fi echo "Deleting users from mysql......" mysql -u root -e "USE mysql; DROP USER 'root'@'127.0.0.1';" mysql -u root -e "USE mysql; DROP USER 'root'@'`hostname`';" mysql -u root -e "USE mysql; DROP USER ''@'localhost';" mysql -u root -e "USE mysql; DROP USER ''@'`hostname`';" echo "All done deleting......." echo "What would you like root@localhost's password to be?" ; read rootpwd mysql -u root -e "USE mysql; SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$rootpwd');" mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES;" ;; n*|N*) echo "Before you use the database, you should at least set passwords" echo "for all the accounts. Otherwise anyone can login to your database." echo "To remove an account, use \"drop user 'user'@'host'\"." echo "To set a password for an account, use \"SET PASSWORD FOR 'user'@'host' = PASSWORD('passwd')\"." ;; *) exit 64 ;; esac echo -e "\033[1mWould you like to bind mysql to localhost so it only listens on that address?" echo -e "\033[0m" ; read ans case "$ans" in y*|Y*) if [ ! -f /etc/my.cnf ]; then echo "[mysqld]" >> /etc/my.cnf echo "bind-address=127.0.0.1" >> /etc/my.cnf echo "socket=/tmp/mysql.sock" >> /etc/my.cnf echo "ft_min_word_len=3" >> /etc/my.cnf mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'` echo "The mysql pid is ${mysql_pid}...." if [ -z ${mysql_pid} ]; then %%PREFIX%%/etc/rc.d/mysql-server start else %%PREFIX%%/etc/rc.d/mysql-server restart fi else echo "/etc/my.cnf already exists!" echo "add \"bind-address=127.0.0.1\" in the [mysqld] section " echo "to force mysql to listen only on localhost." echo "Then restart the server to accept the new settings." fi ;; n*|N*) ;; *) exit 64 ;; esac echo -e "\033[1mWould you like to create the database to store all nsm data?" echo -e "\033[0m" ; read ans echo "NOTE: If you're upgrading, you do NOT want to do this! You want to upgrade." case "$ans" in y*|Y*) if [ -z ${rootpwd} ]; then echo "What is the password for the mysql root user?"; read rootpwd fi mysql -u root -p${rootpwd} -e "create database sguildb" mysql -u root -p${rootpwd} -D sguildb < ${scriptdir}/create_sguildb.sql ;; n*|N*) echo -e "\033[1mPlease note: if you are upgrading from a previous version " echo "of sguil, you need to run the upgrade_0.7.tcl script located in " echo "'${scriptdir}'." echo -e "\033[0mIf you've already cleaned the port directory, run " echo "make extract to recover the files and access the script." echo "" ;; *) exit 64 ;; esac echo -e "\033[1mWould you like to create a user \"sguild@localhost\" for database access?" echo -e "\033[0m" ; read ans case "$ans" in y*|Y*) if [ -z ${rootpwd} ]; then echo "Please enter the password for the mysql root account." ; read rootpwd fi echo -e "\033[1mPlease enter the password that you want to use for the sguild account." echo -e "\033[0m"; read sguildpwd echo "Creating account for sguild with access to sguildb....." mysql -u root -p${rootpwd} -e "GRANT ALTER,CREATE,DELETE,DROP,INDEX,INSERT,SELECT,UPDATE on sguildb.* \ to 'sguild'@'localhost' IDENTIFIED BY '${sguildpwd}'" mysql -u root -p${rootpwd} -e "GRANT FILE on *.* to 'sguild'@'localhost'" mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES" ;; n*|N*) ;; *) exit 64 ;; esac echo -e "\033[1mWould you like to create the data directory and all its subdirectories?" echo -e "\033[0m"; read ans case "$ans" in y*|Y*) echo "What do you want the name of the main directory to be?" echo "(Be sure to include the full path to the directory - e.g. /var/nsm)" ; read maindir echo "The main directory will be named '${maindir}'." for dir in ${maindir} ${maindir}/archives ${maindir}/rules ${maindir}/load ; do if [ ! -d ${dir} ]; then echo "Creating ${dir} ...." install -d -o ${sguil_user} -g ${sguil_group} \ -m 0750 ${dir} else echo -e "\033[1mThe directory '${dir}' already exists!" echo -e "\033[0m" fi done ;; n*|N*) ;; *) exit 64 ;; esac echo -e "\033[1mWould you like to enable sguild in /etc/rc.conf?" echo -e "\033[0m"; read ans case "$ans" in y*|Y*) case ${sguild_enable} in [Yy][Ee][Ss]) echo -e "\033[1mIt appears that sguild is already enabled!" echo -e "\033[0m" ;; *) echo -e i"\033[1mWriting to /etc/rc.conf...." echo -e "\033[0m" echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf echo "sguild_enable=\"YES\"" >> /etc/rc.conf ;; esac ;; n*|N*) ;; *) exit 64 ;; esac echo -e "\033[1mIf the sguild.conf file does not exist, I will create and edit it now." echo -e "\033[0m" if [ -f ${confdir}/%%SGUILDIR%%/sguild.conf ]; then echo "The sguild.conf file already exists!" echo "Do you want me to edit it anyway?" ; read ans case "$ans" in y*|Y*) echo -e "\033[1mPreparing to edit the sguild.conf file......" if [ -z ${maindir} ]; then echo "There's a couple of things I need to verify before continuing." echo "What is the name of the main nsm directory that you are using?" echo -e "\033[0m" ; read ans maindir="$ans" fi if [ -z ${sguildpwd} ]; then echo -e "\033[1mWhat is the password for the sguild database user?" echo -e "\033[0m" ; read ans sguildpwd="$ans" fi sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \ -e 's|sguild_data|'"${maindir}"'|' \ < ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf ;; n*|N*) ;; *) exit 64 ;; esac else echo -e "\033[1mPreparing to edit the sguild.conf file......" if [ -z ${maindir} ]; then echo "There's a couple of things I need to verify before continuing." echo "What is the name of the main nsm directory that you are using?" echo -e "\033[0m" ; read ans maindir="$ans" fi if [ -z ${sguildpwd} ]; then echo -e "\033[1mWhat is the password for the sguild database user?" echo -e "\033[0m" ; read ans sguildpwd="$ans" fi sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \ -e 's|sguild_data|'"${maindir}"'|' \ < ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf fi if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.users ]; then cp ${confdir}/%%SGUILDIR%%/sguild.users-sample ${confdir}/%%SGUILDIR%%/sguild.users fi if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.access ]; then cp ${confdir}/%%SGUILDIR%%/sguild.access-sample ${confdir}/%%SGUILDIR%%/sguild.access fi echo -e "\033[1mYou still need to review all the conf files and configure sguil " echo "per your desired setup before starting sguild. Refer to the port docs in " echo "%%DOCSDIR%% before proceeding." echo -e "\033[0m" echo "Right now, all the conf files except sguild.conf are set to the defaults." for files in archive_sguildb.tcl sguild incident_report.tcl ; do if [ -f %%PREFIX%%/bin/${files} ]; then chown ${sguil_user}:${sguil_group} %%PREFIX%%/bin/${files} fi done if [ ! -f %%PREFIX%%/bin/sguild ]; then echo "Sguild is missing! Please correct the problem before continuing!" exit 1 fi ;; *) exit 64 ;; esac exit 0 --- pkg-install.in ends here --- --- pkg-deinstall.in begins here --- #!/bin/sh # # $FreeBSD$ # USER="sguil" # Make sure we're in the right stage of the process if [ "$2" = "DEINSTALL" ]; then echo "Stopping sguild......" %%PREFIX%%/etc/rc.d/sguild stop %%PREFIX%%/etc/rc.d/sguild poll echo "Would you like to remove the sguild certs?" ; read ans case "$ans" in y*|Y*) if [ -f %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.key ]; then rm %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.key fi if [ -f %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.pem ]; then rm %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.pem fi ;; n*|N*) ;; *) exit 64 ;; esac cd %%PREFIX%%/etc/%%SGUILDIR%% || exit 1 # Remove the conf files *if* they have not been altered for f in autocat.conf sguild.access sguild.conf sguild.email \ sguild.queries sguild.reports sguild.users; do cmp -s -z ${f} ${f}-sample && rm ${f} done # Remove the user and group if the installer chooses to echo "Would you like to remove the sguil user and group?" ; read ans case "$ans" in y*|Y*) if pw usershow "${USER}" 2>/dev/null 1>&2; then pw userdel -n sguil fi if pw groupshow "${USER}" 2>/dev/null 1>&2; then pw groupdel -n sguil fi ;; n*|N*) ;; *) ;; esac fi if [ "$2" = "POST-DEINSTALL" ]; then # If the user exists, then display a message if pw usershow "${USER}" 2>/dev/null 1>&2; then echo "To delete the '${USER}' user permanently, use 'pw userdel ${USER}'" fi # If the group exists, then display a message if pw groupshow "${USER}" 2>/dev/null 1>&2; then echo "To delete the '${USER}' group permanently, use 'pw groupdel ${USER}'" fi fi exit 0 --- pkg-deinstall.in ends here --- >Release-Note: >Audit-Trail: >Unformatted: