ports/122647: security/sguil-server, port upgrade, new version
Paul Scmehl
pauls at utdallas.edu
Fri Apr 11 03:50:05 UTC 2008
>Number: 122647
>Category: ports
>Synopsis: security/sguil-server, port upgrade, new version
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Fri Apr 11 03:50:04 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Paul Scmehl
>Release: FreeBSD 7.0-STABLE i386
>Organization:
University of Texas at Dallas
>Environment:
System: FreeBSD hostname.utdallas.edu 7.0-STABLE FreeBSD 7.0-STABLE #4: Mon Apr 7 15:22:19 CDT 2008 root at hostname.utdallas.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
This PR updates the security/sguil-server port to the new version - 0.7.0
Committer: Please note - there are three sguil port; server, sensor & client
All three must be updated at the same time. Please do not commit this update
without also committing the other two. In addition, a repocopy of security/barnyard-sguil6
to security/barnyard-squil is required in order for the sensor port to work. So all four
changes must be committed at the same time.
>How-To-Repeat:
>Fix:
--- patch-Makefile begins here ---
--- Makefile.orig 2007-01-16 06:45:12.000000000 -0600
+++ Makefile 2008-04-10 21:06:48.000000000 -0500
@@ -6,8 +6,7 @@
#
PORTNAME= sguil-server
-PORTVERSION= 0.6.1
-PORTREVISION= 1
+PORTVERSION= 0.7.0
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= sguil
@@ -18,7 +17,6 @@
RUN_DEPENDS= p0f:${PORTSDIR}/net-mgmt/p0f \
tcpflow:${PORTSDIR}/net/tcpflow \
dtplite:${PORTSDIR}/devel/tcllib \
- barnyard:${PORTSDIR}/security/barnyard-sguil6 \
${LOCALBASE}/lib/tclx8.4/tclx.tcl:${PORTSDIR}/lang/tclX
LIB_DEPENDS= tls:${PORTSDIR}/devel/tcltls
@@ -29,24 +27,33 @@
WRKSRC= ${WRKDIR}/sguil-${PORTVERSION}
PATCH_WRKSRC= ${WRKSRC}/server
PLIST_SUB= SGUILDIR=${SGUILDIR}
-SUB_FILES= pkg-message
-SUB_LIST= SGUILDIR=${SGUILDIR} TCLSH=${TCLSH_CMD}
-LIBRARIES= SguildAccess.tcl SguildEvent.tcl SguildReportBuilder.tcl \
- SguildAutoCat.tcl SguildGenericDB.tcl SguildSendComms.tcl \
+SUB_FILES= pkg-message pkg-install pkg-deinstall
+SUB_LIST= SGUILDIR=${SGUILDIR} TCLSH=${TCLSH_CMD} CURDIR=${.CURDIR} \
+ WRKSRC=${WRKSRC} DOCSDIR=${DOCSDIR}
+LIBRARIES= SguildAccess.tcl SguildGenericDB.tcl SguildReportBuilder.tcl \
+ SguildAutoCat.tcl SguildGenericEvent.tcl SguildSendComms.tcl \
SguildClientCmdRcvd.tcl SguildHealthChecks.tcl SguildSensorAgentComms.tcl \
SguildConnect.tcl SguildLoaderd.tcl SguildSensorCmdRcvd.tcl \
SguildCreateDB.tcl SguildMysqlMerge.tcl SguildTranscript.tcl \
- SguildEmailEvent.tcl SguildQueryd.tcl SguildUtils.tcl
-SCRIPTS= create_ruledb.sql update_sguildb_v10-v11.sql update_sguildb_v8-v9.sql \
- create_sguildb.sql update_sguildb_v5-v6.sql update_sguildb_v9-v10.sql \
- migrate_event.tcl update_sguildb_v6-v7.sql migrate_sancp.tcl update_sguildb_v7-v8.sql
+ SguildEmailEvent.tcl SguildPadsLib.tcl SguildUtils.tcl \
+ SguildEvent.tcl SguildQueryd.tcl
+SCRIPTS= create_ruledb.sql update_0.7.tcl update_sguildb_v7-v8.sql \
+ create_sguildb.sql update_sguildb_v10-v11.sql update_sguildb_v8-v9.sql \
+ migrate_event.tcl update_sguildb_v11-v12.sql update_sguildb_v9-v10.sql \
+ migrate_sancp.tcl update_sguildb_v5-v6.sql sancp_cleanup.tcl update_sguildb_v6-v7.sql
CONFS= autocat.conf sguild.access sguild.conf sguild.email sguild.queries sguild.reports sguild.users
-PORTDOCS= CHANGES INSTALL INSTALL.openbsd LICENSE.QPL \
- OPENSSL.README TODO USAGE sguildb.dia
+PORTDOCS= CHANGES FAQ INSTALL INSTALL.openbsd LICENSE.QPL \
+ OPENSSL.README TODO UPGRADE USAGE sguildb.dia
+
+OPTIONS= MYSQL50 "Install mysql50 server" off
.include <bsd.port.pre.mk>
+.if defined(WITH_MYSQL50)
+RUN_DEPENDS+= ${LOCALBASE}/libexec/mysqld:${PORTSDIR}/databases/mysql50-server
+.endif
+
MYSQLTCL_VER!= cd ${PORTSDIR}/databases/mysqltcl && ${MAKE} -V PORTVERSION
RUN_DEPENDS+= ${LOCALBASE}/lib/mysqltcl-${MYSQLTCL_VER}:${PORTSDIR}/databases/mysqltcl
@@ -56,10 +63,15 @@
@${REINPLACE_CMD} -e 's:exec tclsh:exec ${TCLSH_CMD}:g' ${WRKSRC}/server/${f}
.endfor
-do-install:
- @${MKDIR} ${PREFIX}/etc/${SGUILDIR}
+pre-su-install:
+ @${SETENV} ${SCRIPTS_ENV} PKG_PREFIX=${PREFIX} \
+ ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
+
+pre-install:
@${MKDIR} ${PREFIX}/lib/${SGUILDIR}
@${MKDIR} ${PREFIX}/share/${SGUILDIR}
+ @${MKDIR} /var/run/${SGUILDIR}
+do-install:
.for f in archive_sguildb.tcl sguild
${INSTALL_SCRIPT} -m 751 ${WRKSRC}/server/${f} ${PREFIX}/bin/${f}
.endfor
@@ -80,6 +92,9 @@
@${MKDIR} ${DOCSDIR}
cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTDOCS} ${DOCSDIR}
.endif
+ @${SETENV} PKG_PREFIX=${PREFIX} && PORTSDIR=${PORTSDIR} \
+ ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
+
@${CAT} ${PKGMESSAGE}
.include <bsd.port.post.mk>
--- patch-Makefile ends here ---
--- patch-distinfo begins here ---
--- distinfo.orig 2006-10-30 20:43:25.000000000 -0600
+++ distinfo 2008-04-10 21:06:48.000000000 -0500
@@ -1,3 +1,3 @@
-MD5 (sguil-server-0.6.1.tar.gz) = 27decbe3c6528bf2c86c74b35b8f7b3b
-SHA256 (sguil-server-0.6.1.tar.gz) = 22aea8f76da0530ae7ee9a68efe1de7615bec47a7702c93f8fe338d57590ce57
-SIZE (sguil-server-0.6.1.tar.gz) = 92901
+MD5 (sguil-server-0.7.0.tar.gz) = 2ba67b1a98ed92f43072ecd98d9e15eb
+SHA256 (sguil-server-0.7.0.tar.gz) = 8ed845779c516b7bcb092454d339a26bca69f52689f9f07831fb41a3efe58809
+SIZE (sguil-server-0.7.0.tar.gz) = 103440
--- patch-distinfo ends here ---
--- patch-pkg-plist begins here ---
--- pkg-plist.orig 2006-10-30 20:43:25.000000000 -0600
+++ pkg-plist 2008-04-10 21:06:48.000000000 -0500
@@ -16,9 +16,11 @@
lib/%%SGUILDIR%%/SguildEmailEvent.tcl
lib/%%SGUILDIR%%/SguildEvent.tcl
lib/%%SGUILDIR%%/SguildGenericDB.tcl
+lib/%%SGUILDIR%%/SguildGenericEvent.tcl
lib/%%SGUILDIR%%/SguildHealthChecks.tcl
lib/%%SGUILDIR%%/SguildLoaderd.tcl
lib/%%SGUILDIR%%/SguildMysqlMerge.tcl
+lib/%%SGUILDIR%%/SguildPadsLib.tcl
lib/%%SGUILDIR%%/SguildQueryd.tcl
lib/%%SGUILDIR%%/SguildReportBuilder.tcl
lib/%%SGUILDIR%%/SguildSendComms.tcl
@@ -30,12 +32,16 @@
share/%%SGUILDIR%%/create_sguildb.sql
share/%%SGUILDIR%%/migrate_event.tcl
share/%%SGUILDIR%%/migrate_sancp.tcl
+share/%%SGUILDIR%%/sancp_cleanup.tcl
+share/%%SGUILDIR%%/update_0.7.tcl
share/%%SGUILDIR%%/update_sguildb_v5-v6.sql
share/%%SGUILDIR%%/update_sguildb_v6-v7.sql
share/%%SGUILDIR%%/update_sguildb_v7-v8.sql
share/%%SGUILDIR%%/update_sguildb_v8-v9.sql
share/%%SGUILDIR%%/update_sguildb_v9-v10.sql
share/%%SGUILDIR%%/update_sguildb_v10-v11.sql
- at dirrm share/%%SGUILDIR%%
- at unexec if [ ! -f %D/etc/%%SGUILDIR%%/sguild.conf ] ; then rmdir %D/etc/%%SGUILDIR%%; fi
+share/%%SGUILDIR%%/update_sguildb_v11-v12.sql
+ at dirrmtry etc/%%SGUILDIR%%/certs
+ at unexec if [ ! -f %D/etc/%%SGUILDIR%%/sguild.conf ] && [ ! -d %D/etc/%%SGUILDIR%%/certs ] ; then rmdir %D/etc/%%SGUILDIR%%; fi
@dirrm lib/%%SGUILDIR%%
+ at dirrm share/%%SGUILDIR%%
--- patch-pkg-plist ends here ---
--- patch-files-pkg-message.in begins here ---
--- files/pkg-message.in.orig 2006-10-30 20:43:25.000000000 -0600
+++ files/pkg-message.in 2008-04-10 21:06:48.000000000 -0500
@@ -2,11 +2,21 @@
* !!!!!!!!!!! WARNING !!!!!!!!!!! *
***********************************
+PLEASE NOTE: If you are upgrading from a previous version,
+read the UPGRADE doc (in %%DOCSDIR%%) before proceeding!!!
+Some noteworthy changes in version 0.7.0:
+SSL is now required for server, sensor and client.
+The sguild.conf and sguild.email files have changed.
+You MUST run the upgrade_0.7.tcl script to clean up and
+prepare the database before running the new version. BE SURE
+TO BACK UP YOUR DATABASE BEFORE PROCEEDING!!!
+
If you had existing config files in %%PREFIX%%/etc/%%SGUILDIR%%
they were not overwritten. If this is a first time install, you
must copy the sample files to the corresponding conf file and
edit the various config files for your site. See the INSTALL
-doc in %%DOCSDIR%% for details.
+doc in %%DOCSDIR%% for details. If this is an upgrade, replace
+your existing conf file with the new one and edit accordingly.
The sql scripts for creating database tables were placed in
the %%PREFIX%%/share/%%SGUILDIR%%/ directory. PLEASE
@@ -23,8 +33,12 @@
%%PREFIX%%/etc/rc.d/. To enable it, edit /etc/rc.conf
per the instructions in the script.
+NOTE: Sguild now runs under the sguil user account not root!
+
For general questions, see the sguil faq:
-http://sguil.sourceforge.net/index.php?page=faq
+http://www.vorant.com/nsmwiki/Sguil_FAQ or visit the nsm wiki:
+http://www.vorant.com/nsmwiki/Main_Page
+
For detailed install instructions see Richard Bejtlich's
excellent guide at his blog:
http://taosecurity.blogspot.com/2006/03/new-sguil-scripts-and-vm-i-have-not.html
--- patch-files-pkg-message.in ends here ---
--- patch-files-sguild begins here ---
--- files/patch-sguild.orig 2006-10-30 20:43:25.000000000 -0600
+++ files/patch-sguild 2008-04-10 21:06:48.000000000 -0500
@@ -1,15 +1,15 @@
---- sguild.orig Tue Mar 28 04:36:05 2006
-+++ sguild Tue Mar 28 04:37:10 2006
-@@ -229,7 +229,7 @@
- package require tls
- # Check for certs
- if {![info exists CERTS_PATH]} {
+--- sguild.orig 2008-04-08 22:02:24.000000000 -0500
++++ sguild 2008-04-08 22:09:11.000000000 -0500
+@@ -235,7 +235,7 @@
+ # Check for certs
+ if {![info exists CERTS_PATH]} {
+
- set CERTS_PATH /etc/sguild/certs
+ set CERTS_PATH /usr/local/etc/sguil-server/certs
- }
- if {![file exists $CERTS_PATH] || ![file isdirectory $CERTS_PATH]} {
- puts "ERROR: $CERTS_PATH does not exist or is not a directory"
-@@ -251,13 +251,13 @@
+
+ }
+
+@@ -265,13 +265,13 @@
if { ![info exists CONF_FILE] } {
# No conf file specified check the defaults
@@ -26,7 +26,7 @@
DisplayUsage $argv0
}
}
-@@ -338,17 +338,17 @@
+@@ -354,17 +354,17 @@
# Check for a valid USERS file
if { ![info exists USERS_FILE] } {
# No users file was specified. Go with the defaults
@@ -48,7 +48,7 @@
DisplayUsage $argv0
}
}
-@@ -376,8 +376,8 @@
+@@ -392,8 +392,8 @@
# Load accessfile
if { ![info exists ACCESS_FILE] } {
# Check the defaults
@@ -59,7 +59,7 @@
} elseif { [file exists ./sguild.access] } {
set ACCESS_FILE "./sguild.access"
} else {
-@@ -391,8 +391,8 @@
+@@ -407,8 +407,8 @@
}
# Load auto cat config
if { ![info exists AUTOCAT_FILE] } {
@@ -70,7 +70,7 @@
} else {
set AUTOCAT_FILE "./autocat.conf"
}
-@@ -402,8 +402,8 @@
+@@ -418,8 +418,8 @@
}
# Load email config file
if { ![info exists EMAIL_FILE] } {
@@ -81,7 +81,7 @@
} else {
set EMAIL_FILE "./sguild.email"
}
-@@ -415,8 +415,8 @@
+@@ -431,8 +431,8 @@
}
# Load global queries.
if { ![info exists GLOBAL_QRY_FILE] } {
@@ -92,7 +92,7 @@
} else {
set GLOBAL_QRY_FILE "./sguild.queries"
}
-@@ -428,8 +428,8 @@
+@@ -444,8 +444,8 @@
}
# Load report queries.
if { ![info exists REPORT_QRY_FILE] } {
--- patch-files-sguild ends here ---
--- patch-files-sguild.access begins here ---
--- files/patch-sguild.access.orig 2006-10-30 20:43:25.000000000 -0600
+++ files/patch-sguild.access 2008-04-10 21:06:48.000000000 -0500
@@ -1,12 +1,12 @@
---- sguild.access.orig Tue Mar 28 03:36:31 2006
-+++ sguild.access Tue Mar 28 03:37:44 2006
+--- sguild.access.orig 2008-04-03 17:55:46.000000000 -0500
++++ sguild.access 2008-04-03 17:56:50.000000000 -0500
@@ -4,7 +4,8 @@
# This file is used by sguild for access control. It is read upon init #
# or when sguild receives a HUP signal. #
# #
-# By default, sguild will look first for /etc/sguild/sguild.access, #
+# By default, sguild will look first for #
-+# /usrlocal//etc/sguild/sguild.access, #
++# /usr/local/etc/sguild/sguild.access, #
# then ./sguild.access unless the -A /path/to/sguild.access switch #
# is used. #
# #
--- patch-files-sguild.access ends here ---
--- patch-files-sguild.conf begins here ---
--- files/patch-sguild.conf.orig 2006-10-30 20:43:25.000000000 -0600
+++ files/patch-sguild.conf 2008-04-10 21:06:48.000000000 -0500
@@ -1,41 +1,28 @@
-*** sguild.conf.orig Tue Mar 28 02:38:13 2006
---- sguild.conf Tue Mar 28 02:39:47 2006
-***************
-*** 2,6 ****
-
- # Path the sguild libs
-! set SGUILD_LIB_PATH ./lib
-
- # DEBUG 0=off 1=important stuff 2=everything. Option 2 is VERY chatty.
---- 2,6 ----
-
- # Path the sguild libs
-! set SGUILD_LIB_PATH /usr/local/lib/sguil-server/
-
- # DEBUG 0=off 1=important stuff 2=everything. Option 2 is VERY chatty.
-***************
-*** 61,65 ****
- # You MUST have tcpflow installed to get xscripts
- # http://www.circlemud.org/~jelson/software/tcpflow/
-! set TCPFLOW "/usr/bin/tcpflow"
-
- # p0f - (C) Michal Zalewski <lcamtuf at gis.net>, William Stearns <wstearns at pobox.com>
---- 61,65 ----
- # You MUST have tcpflow installed to get xscripts
- # http://www.circlemud.org/~jelson/software/tcpflow/
-! set TCPFLOW "/usr/local/bin/tcpflow"
-
- # p0f - (C) Michal Zalewski <lcamtuf at gis.net>, William Stearns <wstearns at pobox.com>
-***************
-*** 72,76 ****
- # Path the the p0f binary. Switches -q and -s <filename> are appended on exec,
- # add any others you may need here.
-! set P0F_PATH "/usr/sbin/p0f"
-
- # Email config moved to sguild.email
---- 72,76 ----
- # Path the the p0f binary. Switches -q and -s <filename> are appended on exec,
- # add any others you may need here.
-! set P0F_PATH "/usr/local/bin/p0f"
-
- # Email config moved to sguild.email
+--- sguild.conf.orig 2008-04-03 17:47:18.000000000 -0500
++++ sguild.conf 2008-04-03 17:53:11.000000000 -0500
+@@ -1,7 +1,7 @@
+ # $Id: sguild.conf,v 1.29 2006/06/02 20:40:57 bamm Exp $ #
+
+ # Path the sguild libs
+-set SGUILD_LIB_PATH ./lib
++set SGUILD_LIB_PATH /usr/local/lib/sguil-server
+
+ # DEBUG 0=off 1=important stuff 2=everything. Option 2 is VERY chatty.
+ set DEBUG 2
+@@ -63,7 +63,7 @@
+
+ # You MUST have tcpflow installed to get xscripts
+ # http://www.circlemud.org/~jelson/software/tcpflow/
+-set TCPFLOW "/usr/bin/tcpflow"
++set TCPFLOW "/usr/local/bin/tcpflow"
+
+ # p0f - (C) Michal Zalewski <lcamtuf at gis.net>, William Stearns <wstearns at pobox.com>
+ # If you have p0f (a passive OS fingerprinting system) installed, you can have
+@@ -74,6 +74,6 @@
+
+ # Path the the p0f binary. Switches -q and -s <filename> are appended on exec,
+ # add any others you may need here.
+-set P0F_PATH "/usr/sbin/p0f"
++set P0F_PATH "/usr/local/bin/p0f"
+
+ # Email config moved to sguild.email
--- patch-files-sguild.conf ends here ---
--- patch-files-sguild.sh.in begins here ---
--- files/sguild.sh.in.orig 2007-02-26 17:02:04.000000000 -0600
+++ files/sguild.sh.in 2008-04-10 21:06:48.000000000 -0500
@@ -21,12 +21,13 @@
command="%%PREFIX%%/bin/${name}"
procname="%%TCLSH%%"
-pidfile="/var/run/${name}.pid"
-check_pidfile="${pidfile} ${procname} /bin/sh"
+check_process="${procname}"
+sguild_user="sguil"
+pid="/var/run/%%SGUILDIR%%/${name}.pid"
sguild_enable=${sguild_enable-NO}
sguild_conf=${sguild_conf-%%PREFIX%%/etc/%%SGUILDIR%%/sguild.conf}
-sguild_flags=${sguild_flags--D}
+sguild_flags=${sguild_flags--D -P ${pid}}
[ -n "$sguild_conf" ] && sguild_flags="$sguild_flags -c $sguild_conf"
load_rc_config ${name}
--- patch-files-sguild.sh.in ends here ---
--- pkg-install.in begins here ---
#!/bin/sh
#
# $FreeBSD$
#
echo "This sguild install script creates a \"turnkey\" install "
echo "of sguild, including configuing the database and conf files"
echo "and user accounts so that sguild can be started immediately."
echo ""
echo "You may have already done all this (especially if this is an upgrade)"
echo "and may not be interested in iterating through cert creation and"
echo "everything else that the script does."
echo ""
echo "Would you like to opt out of the entire install script "
echo "and configure sguild manually yourself?" ; read ans
case "$ans" in
y*|Y*)
exit 0
;;
n*|N*)
;;
*)
exit 64
;;
esac
# This script and its implementation borrows heavily from the www/squid port, and I owe a debt to the
# maintainer for saving me a lot of time. The bold font trick that I use extensively was picked up
# at http://www.cyberciti.biz/nixcraft/linux/docs/uniqlinuxfeatures/lsst/ch08.html#q16
# I also owe a debt to all those who have posted shell scripting tutorials to the web and to the FreeBSD
# developers from whose OS I stole a few tricks as well.
# Set up some paths and variables for later use
PATH=/bin:/usr/bin:/usr/sbin:%%PREFIX%%/bin
pkgname=$1
rootpwd=''
confdir="${PKG_PREFIX:-%%PREFIX%%}/etc"
portdir="${CURDIR:-%%CURDIR%%}"
scriptdir="${WRKSRC:-%%WRKSRC%%}/server/sql_scripts"
if [ -x /usr/sbin/nologin ]; then
nologin=/usr/sbin/nologin
else
nologin=/sbin/nologin
fi
# Source rc.conf for later
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
sguil_user="sguil"
sguil_group="sguil"
case $2 in
PRE-INSTALL)
echo "==> Pre-installation configuration of ${pkgname}"
if ! pw groupshow ${sguil_group} -q >/dev/null ; then
if ! pw groupadd ${sguil_group} -q; then
echo "Failed to create group \"${sguil_group}\"!" >&2
echo "Please create it manually." >&2
exit 1
else
echo "Group '%{sguil-group}' created successfully."
pw groupshow ${sguil_group}
fi
fi
if ! pw usershow ${sguil_user} -q >/dev/null ; then
if ! pw useradd -q -n ${sguil_user} \
-g ${sguil_group} -s "${nologin}" \
-h - ; then
echo "Failed to create user '%{sguil_user}'!" >&2
echo "Please create it manually." >&2
exit 1
else
echo "User '${sguil_user}' create successfully."
pw usershow ${sguil_user}
fi
fi
for dir in %%SGUILDIR%% %%SGUILDIR%%/certs ; do
if [ ! -d ${confdir}/${dir} ]; then
echo "Creating ${confdir}/${dir} ...."
install -d -o ${sguil_user} -g ${sguil_group} \
-m 0750 ${confdir}/${dir}
fi
done
for dir in %%PREFIX%%/lib/%%SGUILDIR%% /var/run/%%SGUILDIR%% ; do
if [ ! -d ${dir} ]; then
echo "Creating ${dir} ...."
install -d -o ${sguil_user} -g ${sguil_group} \
-m 0750 ${dir}
fi
done
;;
POST-INSTALL)
echo -e "\033[1mThere are a few things that need to be done to complete the install."
echo -e "\033[0mFirst, you need to create certs so that the ssl connections between server and "
echo "sensors will work, you need to create the database, the account to access it and "
echo "the tables for the database and you need to create the directories where all the "
echo "data will be stored. (You will also need to edit the conf files for your setup.)"
echo ""
echo "If you haven't already done this, I can do it for you now."
echo "Would you like to create certs now? (y for yes, n for no)"; read ans
case "$ans" in
y*|Y*)
echo -e "\033[1mFirst we need to create a password-protected CA cert."
echo ""
echo -e "\033[0m(The Common Name should be the FQHN of your squil server.)"
openssl req -out CA.pem -new -x509
echo "Now we need to create a server certificate/key pair."
openssl genrsa -out sguild.key 1024
echo -e "\033[1mNow we need to create a certificate request to be signed by the CA."
echo "DO NOT password protect your server key. If you do, you will be required"
echo "to enter the password every time you start the server."
echo -e "\033[0m"
openssl req -key sguild.key -new -out sguild.req
echo "Now we need to create the actual certificate for your server."
echo 44 > file.sr1
openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -CAserial file.sr1 -out sguild.pem
echo "Finally, we need to move the certs to the '${confdir}/%%SGUILDIR%%/certs}' directory "
echo "and clean up the port directory as well."
for files in sguild.key sguild.pem; do
mv ${portdir}/$files ${confdir}/%%SGUILDIR%%/certs/
done
for files in CA.pem privkey.pem sguild.req file.sr1; do
rm ${portdir}/$files
done
;;
n*|N*)
echo -e "\033[1mSSL is now required for all connections between server, sensors and clients."
echo "If you haven't already created certs, you will need to do that before sguil will work."
echo -e "\033[0m"
echo ""
;;
*)
exit 64
;;
esac
echo -e "\033[1mIs the installation of mysql brand new and unaltered?"
echo -e "\033[0mBy default, when mysql is installed, it creates five accounts."
echo "None of those accounts are protected by passwords. That needs to be corrected."
echo "The five accounts are:"
echo " root at localhost"
echo " root at 127.0.0.1"
echo " root@`hostname`"
echo " @localhost"
echo " @`hostname`"
echo "I can remove all of the accounts except root at localhost (highly recommended) "
echo "and I can set the password for the root at localhost account. (If you get an error "
echo "don't worry about it. The account may not have been created to begin with."
echo "Would you like me to do that now?" ; read ans
case "$ans" in
y*|Y*)
echo "Enabling mysql in /etc/rc.conf and starting the server....."
case ${mysql_enable} in
[Yy][Ee][Ss])
echo -e "\033[1mIt appears that mysql is already enabled!"
echo -e "\033[0m"
;;
*)
echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf
echo "mysql_enable=\"YES\"" >> /etc/rc.conf
;;
esac
mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'`
echo "The mysql pid is ${mysql_pid}...."
if [ -z ${mysql_pid} ]; then
%%PREFIX%%/etc/rc.d/mysql-server start
fi
sleep 1
mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'`
if [ -s ${mysql_pid} ]; then
echo "The mysql server did not start. Please fix the problem "
echo "and run this script again."
exit 64
fi
echo "Deleting users from mysql......"
mysql -u root -e "USE mysql; DROP USER 'root'@'127.0.0.1';"
mysql -u root -e "USE mysql; DROP USER 'root'@'`hostname`';"
mysql -u root -e "USE mysql; DROP USER ''@'localhost';"
mysql -u root -e "USE mysql; DROP USER ''@'`hostname`';"
echo "All done deleting......."
echo "What would you like root at localhost's password to be?" ; read rootpwd
mysql -u root -e "USE mysql; SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$rootpwd');"
mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES;"
;;
n*|N*)
echo "Before you use the database, you should at least set passwords"
echo "for all the accounts. Otherwise anyone can login to your database."
echo "To remove an account, use \"drop user 'user'@'host'\"."
echo "To set a password for an account, use \"SET PASSWORD FOR 'user'@'host' = PASSWORD('passwd')\"."
;;
*)
exit 64
;;
esac
echo -e "\033[1mWould you like to bind mysql to localhost so it only listens on that address?"
echo -e "\033[0m" ; read ans
case "$ans" in
y*|Y*)
if [ ! -f /etc/my.cnf ]; then
echo "[mysqld]" >> /etc/my.cnf
echo "bind-address=127.0.0.1" >> /etc/my.cnf
echo "socket=/tmp/mysql.sock" >> /etc/my.cnf
echo "ft_min_word_len=3" >> /etc/my.cnf
mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'`
echo "The mysql pid is ${mysql_pid}...."
if [ -z ${mysql_pid} ]; then
%%PREFIX%%/etc/rc.d/mysql-server start
else
%%PREFIX%%/etc/rc.d/mysql-server restart
fi
else
echo "/etc/my.cnf already exists!"
echo "add \"bind-address=127.0.0.1\" in the [mysqld] section "
echo "to force mysql to listen only on localhost."
echo "Then restart the server to accept the new settings."
fi
;;
n*|N*)
;;
*)
exit 64
;;
esac
echo -e "\033[1mWould you like to create the database to store all nsm data?"
echo -e "\033[0m" ; read ans
echo "NOTE: If you're upgrading, you do NOT want to do this! You want to upgrade."
case "$ans" in
y*|Y*)
if [ -z ${rootpwd} ]; then
echo "What is the password for the mysql root user?"; read rootpwd
fi
mysql -u root -p${rootpwd} -e "create database sguildb"
mysql -u root -p${rootpwd} -D sguildb < ${scriptdir}/create_sguildb.sql
;;
n*|N*)
echo -e "\033[1mPlease note: if you are upgrading from a previous version "
echo "of sguil, you need to run the upgrade_0.7.tcl script located in "
echo "'${scriptdir}'."
echo -e "\033[0mIf you've already cleaned the port directory, run "
echo "make extract to recover the files and access the script."
echo ""
;;
*)
exit 64
;;
esac
echo -e "\033[1mWould you like to create a user \"sguild at localhost\" for database access?"
echo -e "\033[0m" ; read ans
case "$ans" in
y*|Y*)
if [ -z ${rootpwd} ]; then
echo "Please enter the password for the mysql root account." ; read rootpwd
fi
echo -e "\033[1mPlease enter the password that you want to use for the sguild account."
echo -e "\033[0m"; read sguildpwd
echo "Creating account for sguild with access to sguildb....."
mysql -u root -p${rootpwd} -e "GRANT ALTER,CREATE,DELETE,DROP,INDEX,INSERT,SELECT,UPDATE on sguildb.* \
to 'sguild'@'localhost' IDENTIFIED BY '${sguildpwd}'"
mysql -u root -p${rootpwd} -e "GRANT FILE on *.* to 'sguild'@'localhost'"
mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES"
;;
n*|N*)
;;
*)
exit 64
;;
esac
echo -e "\033[1mWould you like to create the data directory and all its subdirectories?"
echo -e "\033[0m"; read ans
case "$ans" in
y*|Y*)
echo "What do you want the name of the main directory to be?"
echo "(Be sure to include the full path to the directory - e.g. /var/nsm)" ; read maindir
echo "The main directory will be named '${maindir}'."
for dir in ${maindir} ${maindir}/archives ${maindir}/rules ${maindir}/load ; do
if [ ! -d ${dir} ]; then
echo "Creating ${dir} ...."
install -d -o ${sguil_user} -g ${sguil_group} \
-m 0750 ${dir}
else
echo -e "\033[1mThe directory '${dir}' already exists!"
echo -e "\033[0m"
fi
done
;;
n*|N*)
;;
*)
exit 64
;;
esac
echo -e "\033[1mWould you like to enable sguild in /etc/rc.conf?"
echo -e "\033[0m"; read ans
case "$ans" in
y*|Y*)
case ${sguild_enable} in
[Yy][Ee][Ss])
echo -e "\033[1mIt appears that sguild is already enabled!"
echo -e "\033[0m"
;;
*)
echo -e i"\033[1mWriting to /etc/rc.conf...."
echo -e "\033[0m"
echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf
echo "sguild_enable=\"YES\"" >> /etc/rc.conf
;;
esac
;;
n*|N*)
;;
*)
exit 64
;;
esac
echo -e "\033[1mIf the sguild.conf file does not exist, I will create and edit it now."
echo -e "\033[0m"
if [ -f ${confdir}/%%SGUILDIR%%/sguild.conf ]; then
echo "The sguild.conf file already exists!"
echo "Do you want me to edit it anyway?" ; read ans
case "$ans" in
y*|Y*)
echo -e "\033[1mPreparing to edit the sguild.conf file......"
if [ -z ${maindir} ]; then
echo "There's a couple of things I need to verify before continuing."
echo "What is the name of the main nsm directory that you are using?"
echo -e "\033[0m" ; read ans
maindir="$ans"
fi
if [ -z ${sguildpwd} ]; then
echo -e "\033[1mWhat is the password for the sguild database user?"
echo -e "\033[0m" ; read ans
sguildpwd="$ans"
fi
sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \
-e 's|sguild_data|'"${maindir}"'|' \
< ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf
;;
n*|N*)
;;
*)
exit 64
;;
esac
else
echo -e "\033[1mPreparing to edit the sguild.conf file......"
if [ -z ${maindir} ]; then
echo "There's a couple of things I need to verify before continuing."
echo "What is the name of the main nsm directory that you are using?"
echo -e "\033[0m" ; read ans
maindir="$ans"
fi
if [ -z ${sguildpwd} ]; then
echo -e "\033[1mWhat is the password for the sguild database user?"
echo -e "\033[0m" ; read ans
sguildpwd="$ans"
fi
sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \
-e 's|sguild_data|'"${maindir}"'|' \
< ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf
fi
if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.users ]; then
cp ${confdir}/%%SGUILDIR%%/sguild.users-sample ${confdir}/%%SGUILDIR%%/sguild.users
fi
if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.access ]; then
cp ${confdir}/%%SGUILDIR%%/sguild.access-sample ${confdir}/%%SGUILDIR%%/sguild.access
fi
echo -e "\033[1mYou still need to review all the conf files and configure sguil "
echo "per your desired setup before starting sguild. Refer to the port docs in "
echo "%%DOCSDIR%% before proceeding."
echo -e "\033[0m"
echo "Right now, all the conf files except sguild.conf are set to the defaults."
for files in archive_sguildb.tcl sguild incident_report.tcl ; do
if [ -f %%PREFIX%%/bin/${files} ]; then
chown ${sguil_user}:${sguil_group} %%PREFIX%%/bin/${files}
fi
done
if [ ! -f %%PREFIX%%/bin/sguild ]; then
echo "Sguild is missing! Please correct the problem before continuing!"
exit 1
fi
;;
*)
exit 64
;;
esac
exit 0
--- pkg-install.in ends here ---
--- pkg-deinstall.in begins here ---
#!/bin/sh
#
# $FreeBSD$
#
USER="sguil"
# Make sure we're in the right stage of the process
if [ "$2" = "DEINSTALL" ]; then
echo "Stopping sguild......"
%%PREFIX%%/etc/rc.d/sguild stop
%%PREFIX%%/etc/rc.d/sguild poll
echo "Would you like to remove the sguild certs?" ; read ans
case "$ans" in
y*|Y*)
if [ -f %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.key ]; then
rm %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.key
fi
if [ -f %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.pem ]; then
rm %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.pem
fi
;;
n*|N*)
;;
*)
exit 64
;;
esac
cd %%PREFIX%%/etc/%%SGUILDIR%% || exit 1
# Remove the conf files *if* they have not been altered
for f in autocat.conf sguild.access sguild.conf sguild.email \
sguild.queries sguild.reports sguild.users; do
cmp -s -z ${f} ${f}-sample && rm ${f}
done
# Remove the user and group if the installer chooses to
echo "Would you like to remove the sguil user and group?" ; read ans
case "$ans" in
y*|Y*)
if pw usershow "${USER}" 2>/dev/null 1>&2; then
pw userdel -n sguil
fi
if pw groupshow "${USER}" 2>/dev/null 1>&2; then
pw groupdel -n sguil
fi
;;
n*|N*)
;;
*)
;;
esac
fi
if [ "$2" = "POST-DEINSTALL" ]; then
# If the user exists, then display a message
if pw usershow "${USER}" 2>/dev/null 1>&2; then
echo "To delete the '${USER}' user permanently, use 'pw userdel ${USER}'"
fi
# If the group exists, then display a message
if pw groupshow "${USER}" 2>/dev/null 1>&2; then
echo "To delete the '${USER}' group permanently, use 'pw groupdel ${USER}'"
fi
fi
exit 0
--- pkg-deinstall.in ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list