svn commit: r554309 - in head/security/zeek: . files
Craig Leres
leres at FreeBSD.org
Fri Nov 6 18:38:47 UTC 2020
Author: leres
Date: Fri Nov 6 18:38:46 2020
New Revision: 554309
URL: https://svnweb.freebsd.org/changeset/ports/554309
Log:
security/zeek: Fix build on armv7 and allow running as non-root user
Apply Renato Botelho's fix for the ARCH used in PLIST_SUB (with
some changes). Essentially use uname -m instead of trying to fix
up the ARCH defined by bsd.port.mk (uname -p).
While we're here:
- Convert networks.cfg, node.cfg, and zeekctl.cfg to use @sample
- Use @sample to avoid clobbering site.zeek (oops).
- Remove unnecessary subshell for the post-build-NETMAP-on target.
- Silence the annoying "use ZeekControl.plugin instead of
BroControl.plugin" nag.
- Reformat the rc.d script.
- Update the rc.d script to honor the zeek_user rc.d variable and
update pkg-message.in with hints on how to run as user zeek.
- Explain how to configure zeek to ignore checksum errors when NIC
checksum offloading is in use.
- Make share/zeekctl/scripts owned by user zeek to allow "zeekctl
install" when running as user zeek.
PR: 250886
Reported by: garga
Modified:
head/security/zeek/Makefile
head/security/zeek/files/pkg-message.in
head/security/zeek/files/zeek.in
head/security/zeek/pkg-plist
Modified: head/security/zeek/Makefile
==============================================================================
--- head/security/zeek/Makefile Fri Nov 6 18:22:47 2020 (r554308)
+++ head/security/zeek/Makefile Fri Nov 6 18:38:46 2020 (r554309)
@@ -3,6 +3,7 @@
PORTNAME= zeek
PORTVERSION= 3.0.11
+PORTREVISION= 1
CATEGORIES= security
MASTER_SITES= https://old.zeek.org/downloads/
DISTFILES= ${DISTNAME}${EXTRACT_SUFX}
@@ -45,7 +46,7 @@ CMAKE_ARGS+= -GNinja \
ZEEKUSER?= zeek
ZEEKGROUP?= zeek
-PLIST_SUB+= ARCH=${ARCH:S/aarch64/arm64/} \
+PLIST_SUB+= ARCH=${UNAME_M} \
ZEEKUSER=${ZEEKUSER} \
ZEEKGROUP=${ZEEKGROUP} \
LCASE_OPSYS=${OPSYS:tl}
@@ -98,13 +99,18 @@ ZEEKCTL_RUN_DEPENDS= ${LOCALBASE}/bin/bash:shells/bash
USE_RC_SUBR= zeek
.endif
+post-patch:
+ # Silence the "use ZeekControl.plugin instead of BroControl.plugin" nag
+ @${REINPLACE_CMD} -e 's/^print/#&/' \
+ ${WRKSRC}/aux/zeekctl/BroControl/__init__.py
+
post-install-ZEEKCTL-on:
${MKDIR} ${STAGEDIR}${PREFIX}/logs
${MKDIR} ${STAGEDIR}${PREFIX}/spool/tmp
${MKDIR} ${STAGEDIR}${PREFIX}/spool/installed-scripts-do-not-touch/auto
${MKDIR} ${STAGEDIR}${PREFIX}/spool/installed-scripts-do-not-touch/site
.for F in zeekctl.cfg networks.cfg node.cfg
- ${MV} ${STAGEDIR}${PREFIX}/etc/${F} ${STAGEDIR}${PREFIX}/etc/${F}.example
+ ${MV} ${STAGEDIR}${PREFIX}/etc/${F} ${STAGEDIR}${PREFIX}/etc/${F}.sample
.endfor
${RM} ${STAGEDIR}${PREFIX}/share/zeekctl/scripts/zeekctl-config.sh
${LN} -s ../../../spool/zeekctl-config.sh \
@@ -112,14 +118,20 @@ post-install-ZEEKCTL-on:
post-install:
${RM} -r ${STAGEDIR}${PREFIX}/share/zeek/cmake
+ ${MV} ${STAGEDIR}${DATADIR}/site/local.zeek \
+ ${STAGEDIR}${DATADIR}/site/local.zeek.sample
pre-install-ZEEKCTL-on:
${MKDIR} ${STAGEDIR}${PREFIX}/etc/rc.d
post-build-NETMAP-on:
${LN} -s ../.build ${WRKSRC}/build
- (cd ${WRKSRC_bro_netmap} && ./configure --bro-dist=${WRKSRC} \
+ cd ${WRKSRC_bro_netmap} && ./configure --bro-dist=${WRKSRC} \
--install-root=${STAGEDIR}${PREFIX}/lib/zeek/plugins && \
- make && make install)
+ make && make install
-.include <bsd.port.mk>
+.include <bsd.port.pre.mk>
+
+UNAME_M!= ${UNAME} -m
+
+.include <bsd.port.post.mk>
Modified: head/security/zeek/files/pkg-message.in
==============================================================================
--- head/security/zeek/files/pkg-message.in Fri Nov 6 18:22:47 2020 (r554308)
+++ head/security/zeek/files/pkg-message.in Fri Nov 6 18:38:46 2020 (r554309)
@@ -1,12 +1,39 @@
[
{ type: install
message: <<EOM
-During deinstall of this package, the cfg files for broctl
-are not deleted if you have edited them. Instead
-the software will create a .sample file instead and the
-edited files will remain in place when you upgrade. If you
-want to delete them, you have to delete them and the directory,
-%%PREFIX%%/etc manually.
+During deinstall of this package, the cfg files for broctl are not
+deleted if you have edited them. Instead the software will create
+a .sample file instead and the edited files will remain in place
+when you upgrade. If you want to delete them, you have to remove
+the %%PREFIX%%/etc directory manually.
+
+The rc.d script now honors the zeek_user rc.d variable. To run as
+a user other than root (the default) you need to make a few changes.
+For example to run as the user zeek, add this to /etc/rc.conf:
+
+ zeek_enable="YES"
+ zeek_user="zeek"
+
+Add this to /etc/devfs.conf:
+
+ own bpf root:bpf
+ perm bpf 0660
+
+And add zeek to the bpf group:
+
+ bpf:*:81:zeek
+
+and restart the devfs service:
+
+ service devfs restart
+
+or reboot.
+
+If the interface defined in node.cfg is configured for NIC checksum
+offloading (the default when this feature is supported by the
+hardware) you will want to set ignore_checksums in site/local.zeek:
+
+ redef ignore_checksums = T;
EOM
}
]
Modified: head/security/zeek/files/zeek.in
==============================================================================
--- head/security/zeek/files/zeek.in Fri Nov 6 18:22:47 2020 (r554308)
+++ head/security/zeek/files/zeek.in Fri Nov 6 18:38:46 2020 (r554309)
@@ -17,65 +17,83 @@ node=$2
start_cmd="zeek_start"
stop_cmd="zeek_stop"
restart_cmd="zeek_restart"
+check_cmd="zeek_check"
deploy_cmd="zeek_deploy"
install_cmd="zeek_install"
cleanup_cmd="zeek_cleanup"
restart_cmd="zeek_restart"
status_cmd="zeek_status"
-extra_commands="deploy install cleanup status restart"
+extra_commands="check cleanup deploy install restart status"
: ${zeekctl_program:=%%PREFIX%%/bin/zeekctl}
+: ${zeek_user:=root}
zeek_enable=${zeek_enable-"NO"}
-zeek_start() {
- if [ ! "${node}" ];
- then
- $zeekctl_program start
- else
- $zeekctl_program start $node
- fi
+run()
+{
+ if [ "${zeek_user}" = "root" ]; then
+ $*
+ else
+ su -m ${zeek_user} -c "$*"
+ fi
}
-zeek_stop() {
- if [ ! "${node}" ];
- then
- $zeekctl_program stop
- else
- $zeekctl_program stop $node
- fi
+zeek_start()
+{
+ if [ ! "${node}" ]; then
+ run ${zeekctl_program} start
+ else
+ run ${zeekctl_program} start ${node}
+ fi
}
+zeek_stop()
+{
+ if [ ! "${node}" ]; then
+ run ${zeekctl_program} stop
+ else
+ run ${zeekctl_program} stop ${node}
+ fi
+}
+
zeek_restart() {
- if [ ! "${node}" ];
- then
- $zeekctl_program restart
- else
- $zeekctl_program restart $node
- fi
+ if [ ! "${node}" ]; then
+ run ${zeekctl_program} restart
+ else
+ run ${zeekctl_program} restart ${node}
+ fi
}
-zeek_deploy() {
- $zeekctl_program deploy
+zeek_check()
+{
+ run ${zeekctl_program} check
}
-zeek_install() {
- $zeekctl_program install
+zeek_deploy()
+{
+ run ${zeekctl_program} deploy
}
-zeek_cleanup() {
- if [ ! "${node}" ];
- then
- $zeekctl_program cleanup
- else
- $zeekctl_program cleanup ${node}
- fi
+zeek_install()
+{
+ run ${zeekctl_program} install
}
-zeek_status() {
- $zeekctl_program status
+zeek_cleanup()
+{
+ if [ ! "${node}" ]; then
+ run ${zeekctl_program} cleanup
+ else
+ run ${zeekctl_program} cleanup ${node}
+ fi
}
-load_rc_config $name
+zeek_status()
+{
+ run ${zeekctl_program} status
+}
+
+load_rc_config ${name}
run_rc_command "$1"
Modified: head/security/zeek/pkg-plist
==============================================================================
--- head/security/zeek/pkg-plist Fri Nov 6 18:22:47 2020 (r554308)
+++ head/security/zeek/pkg-plist Fri Nov 6 18:38:46 2020 (r554309)
@@ -1,4 +1,5 @@
@postexec chown %%ZEEKUSER%%:%%ZEEKGROUP%% %D/logs
+%%ZEEKCTL%%@postexec chown %%ZEEKUSER%%:%%ZEEKGROUP%% %D/share/zeekctl/scripts
%%ZEEKCTL%%@postexec chown %%ZEEKUSER%%:%%ZEEKGROUP%% %D/spool
%%ZEEKCTL%%@postexec chown %%ZEEKUSER%%:%%ZEEKGROUP%% %D/spool/tmp
%%ZEEKCTL%%@postexec chown -R %%ZEEKUSER%%:%%ZEEKGROUP%% %D/spool/installed-scripts-do-not-touch
@@ -16,15 +17,9 @@ bin/zeek-config
bin/zeek-cut
bin/zeek-wrapper
%%ZEEKCTL%%bin/zeekctl
-%%ZEEKCTL%%@preunexec if cmp -s %D/etc/networks.cfg.example %D/etc/networks.cfg ; then rm -f %D/etc/networks.cfg; fi
-%%ZEEKCTL%%etc/networks.cfg.example
-%%ZEEKCTL%%@postexec if [ ! -f %D/etc/networks.cfg ] ; then cp -p %D/etc/networks.cfg.example %D/etc/networks.cfg; fi
-%%ZEEKCTL%%@preunexec if cmp -s %D/etc/node.cfg.example %D/etc/node.cfg ; then rm -f %D/etc/node.cfg; fi
-%%ZEEKCTL%%etc/node.cfg.example
-%%ZEEKCTL%%@postexec if [ ! -f %D/etc/node.cfg ] ; then cp -p %D/etc/node.cfg.example %D/etc/node.cfg; fi
-%%ZEEKCTL%%@preunexec if cmp -s %D/etc/zeekctl.cfg.example %D/etc/zeekctl.cfg ; then rm -f %D/etc/zeekctl.cfg; fi
-%%ZEEKCTL%%etc/zeekctl.cfg.example
-%%ZEEKCTL%%@postexec if [ ! -f %D/etc/zeekctl.cfg ] ; then cp -p %D/etc/zeekctl.cfg.example %D/etc/zeekctl.cfg; fi
+ at sample etc/networks.cfg.sample
+ at sample etc/node.cfg.sample
+ at sample etc/zeekctl.cfg.sample
include/binpac/binpac.h
include/binpac/binpac_analyzer.h
include/binpac/binpac_buffer.h
@@ -1722,7 +1717,7 @@ man/man8/zeek.8.gz
%%DATADIR%%/policy/tuning/defaults/warnings.zeek
%%DATADIR%%/policy/tuning/json-logs.zeek
%%DATADIR%%/policy/tuning/track-all-assets.zeek
-%%DATADIR%%/site/local.zeek
+ at sample %%DATADIR%%/site/local.zeek.sample
%%ZEEKCTL%%%%DATADIR%%/zeekctl/__load__.zeek
%%ZEEKCTL%%%%DATADIR%%/zeekctl/auto.zeek
%%ZEEKCTL%%%%DATADIR%%/zeekctl/check.zeek
More information about the svn-ports-all
mailing list